cybergate | 42341d403cd2400c21151517c768ea9b505754b86b13e33611f315bcf2297c34

Analysis

max time kernel
19s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-02-2025 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe
Size

1.2MB
MD5

21157544242f9630fc8ae21a0f476a77
SHA1

689bef9cf03a249c576f1f54bf5c85434ea698f1
SHA256

42341d403cd2400c21151517c768ea9b505754b86b13e33611f315bcf2297c34
SHA512

4e86fcefeb2a3d74f8326b3c3a2e87e3aa7de5d4a9f059cd4e113fe45b8fc1dc924927e20bbef28481365ba065361769cb53bb50c764d96256b6b3fd0ff4fe23
SSDEEP

24576:IeVBKWy5YRIFotbHZfty1vn1ooeoxURa7g6oXvUtPkDION4b:RK35KIFMLZVyt1goxUMg6oXvqcDI/b

Score

10^/10

cybergate infectado defense_evasion discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Infectado

cilacorp.no-ip.org:2727

cilacorp.no-ip.org:1234

cilacorp.no-ip.org:2222

cilacorp.no-ip.org:3333

Mutex

70O6TTO1XHXL7E

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
win323264
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123321a
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Windows security bypass 2 TTPs 64 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\win323264\\svchost.exe"	b.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\win323264\\svchost.exe"	b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{43454YE6-2580-6E82-L840-7701PU6A8MY7}	b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43454YE6-2580-6E82-L840-7701PU6A8MY7}\StubPath = "C:\\Windows\\system32\\win323264\\svchost.exe Restart"	b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{43454YE6-2580-6E82-L840-7701PU6A8MY7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43454YE6-2580-6E82-L840-7701PU6A8MY7}\StubPath = "C:\\Windows\\system32\\win323264\\svchost.exe"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
900	a.exe
2356	b.exe
1804	c.exe
2884	svchost.exe
3008	d.exe
2828	e.exe
2772	g.exe
2564	f.exe
2660	h.exe
996	svchost
2148	smss.exe
876	smss.exe
1632	smss.exe
2584	smss.exe
2988	smss.exe
1768	winsvchosts.exe
1620	smss.exe
1804	smss.exe
3040	svchost.exe
1620	smss.exe
2212	svchost.exe
2320	smss.exe
1780	smss.exe
2084	smss.exe
2372	smss.exe
1572	smss.exe
2872	smss.exe
2444	smss.exe
2320	smss.exe
1900	smss.exe
3168	smss.exe
3336	smss.exe
3548	smss.exe
3736	smss.exe
3968	smss.exe
2268	smss.exe
3252	smss.exe
3596	smss.exe
3768	smss.exe
3992	smss.exe
3372	smss.exe
3324	smss.exe
3728	smss.exe
1256	smss.exe
3612	smss.exe
3324	smss.exe
3160	smss.exe
3520	smss.exe
4068	smss.exe
3316	smss.exe
2444	smss.exe
3040	smss.exe
3144	smss.exe
4004	smss.exe
4080	smss.exe
3520	smss.exe
4272	smss.exe
4452	smss.exe
4648	smss.exe
4832	smss.exe
5032	smss.exe
4100	smss.exe
4276	smss.exe
4672	smss.exe

Loads dropped DLL 64 IoCs

pid	Process
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2660	h.exe
2660	h.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
1804	c.exe
1804	c.exe
2148	smss.exe
2148	smss.exe
876	smss.exe
876	smss.exe
1632	smss.exe
1632	smss.exe
2584	smss.exe
2584	smss.exe
2772	g.exe
2772	g.exe
2988	smss.exe
2988	smss.exe
1620	smss.exe
1620	smss.exe
2356	b.exe
2356	b.exe
1804	smss.exe
1804	smss.exe
2720	explorer.exe
2720	explorer.exe
1620	smss.exe
1620	smss.exe
2320	smss.exe
2320	smss.exe
1780	smss.exe
1780	smss.exe
2084	smss.exe
2084	smss.exe
2296	WerFault.exe
2296	WerFault.exe
2372	smss.exe
2372	smss.exe
2296	WerFault.exe
1572	smss.exe
1572	smss.exe
2872	smss.exe
2872	smss.exe
2444	smss.exe
2444	smss.exe
2320	smss.exe
2320	smss.exe

Windows security modification 2 TTPs 64 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\win323264\\svchost.exe"	b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\win323264\\svchost.exe"	b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\win3264\\smss.exe"	smss.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\win323264\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\Script.vbs	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\win323264\svchost.exe	b.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\_dcsc_.bat	smss.exe
File created	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe
File opened for modification	C:\Windows\SysWOW64\win3264\	smss.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d0e-18.dat	upx
behavioral1/files/0x0008000000016d21-74.dat	upx
behavioral1/memory/2884-52-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral1/memory/3008-38-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2356-21-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2356-110-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2356-713-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3008-749-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2356-1136-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3040-1139-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2212-1165-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3040-1186-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2212-1214-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2608	3008	WerFault.exe
2296	1768	WerFault.exe	73
3948	2828	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4688	Process not Found
3948	Process not Found
5116	Process not Found
4404	Process not Found
4332	PING.EXE
976	PING.EXE
5088	Process not Found
3024	Process not Found
4452	Process not Found
4860	Process not Found
1644	PING.EXE
2432	PING.EXE
5096	PING.EXE
3800	Process not Found
4844	Process not Found
2164	Process not Found
1472	Process not Found
3940	Process not Found
4768	PING.EXE
2064	Process not Found
4572	Process not Found
5028	Process not Found
4084	Process not Found
4528	Process not Found
2132	Process not Found
3372	Process not Found
2184	PING.EXE
3248	Process not Found
4496	Process not Found
892	Process not Found
3664	Process not Found
3244	PING.EXE
4448	Process not Found
3868	Process not Found
4464	Process not Found
1932	PING.EXE
4912	Process not Found
2232	Process not Found
3908	Process not Found
4644	Process not Found
320	Process not Found
1780	Process not Found
4632	Process not Found
4264	Process not Found
4500	PING.EXE
3040	Process not Found
2520	PING.EXE
4748	Process not Found
2280	PING.EXE
2900	PING.EXE
4868	PING.EXE
3916	PING.EXE
4132	PING.EXE
5080	Process not Found
4192	Process not Found
3360	Process not Found
3284	Process not Found
3760	Process not Found
3708	PING.EXE
4800	PING.EXE
1564	Process not Found
3016	Process not Found
1936	Process not Found
4556	PING.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4512	PING.EXE
3860	Process not Found
3656	Process not Found
1256	PING.EXE
3540	PING.EXE
1564	PING.EXE
3472	Process not Found
1332	Process not Found
2004	PING.EXE
3828	PING.EXE
3868	Process not Found
2268	Process not Found
3948	Process not Found
2900	PING.EXE
3060	PING.EXE
3352	PING.EXE
4292	Process not Found
3144	Process not Found
3464	PING.EXE
4616	Process not Found
5028	Process not Found
3288	Process not Found
4016	Process not Found
3540	Process not Found
2400	Process not Found
5104	Process not Found
4336	PING.EXE
4644	PING.EXE
3408	Process not Found
3924	Process not Found
2028	Process not Found
2708	Process not Found
4264	Process not Found
3460	Process not Found
4256	PING.EXE
3616	Process not Found
5108	Process not Found
1996	Process not Found
3996	Process not Found
5032	Process not Found
3200	Process not Found
1932	PING.EXE
3652	PING.EXE
2344	PING.EXE
4028	Process not Found
3580	Process not Found
1544	Process not Found
4316	Process not Found
1780	Process not Found
4892	PING.EXE
3132	PING.EXE
4568	Process not Found
3132	Process not Found
4592	Process not Found
3612	Process not Found
976	Process not Found
3564	Process not Found
4304	PING.EXE
4832	Process not Found
4904	Process not Found
3100	Process not Found
4688	Process not Found
4860	Process not Found
4748	Process not Found

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1804	c.exe
Token: SeSecurityPrivilege	1804	c.exe
Token: SeTakeOwnershipPrivilege	1804	c.exe
Token: SeLoadDriverPrivilege	1804	c.exe
Token: SeSystemProfilePrivilege	1804	c.exe
Token: SeSystemtimePrivilege	1804	c.exe
Token: SeProfSingleProcessPrivilege	1804	c.exe
Token: SeIncBasePriorityPrivilege	1804	c.exe
Token: SeCreatePagefilePrivilege	1804	c.exe
Token: SeBackupPrivilege	1804	c.exe
Token: SeRestorePrivilege	1804	c.exe
Token: SeShutdownPrivilege	1804	c.exe
Token: SeDebugPrivilege	1804	c.exe
Token: SeSystemEnvironmentPrivilege	1804	c.exe
Token: SeChangeNotifyPrivilege	1804	c.exe
Token: SeRemoteShutdownPrivilege	1804	c.exe
Token: SeUndockPrivilege	1804	c.exe
Token: SeManageVolumePrivilege	1804	c.exe
Token: SeImpersonatePrivilege	1804	c.exe
Token: SeCreateGlobalPrivilege	1804	c.exe
Token: 33	1804	c.exe
Token: 34	1804	c.exe
Token: 35	1804	c.exe
Token: SeDebugPrivilege	2564	f.exe
Token: SeIncreaseQuotaPrivilege	2148	smss.exe
Token: SeSecurityPrivilege	2148	smss.exe
Token: SeTakeOwnershipPrivilege	2148	smss.exe
Token: SeLoadDriverPrivilege	2148	smss.exe
Token: SeSystemProfilePrivilege	2148	smss.exe
Token: SeSystemtimePrivilege	2148	smss.exe
Token: SeProfSingleProcessPrivilege	2148	smss.exe
Token: SeIncBasePriorityPrivilege	2148	smss.exe
Token: SeCreatePagefilePrivilege	2148	smss.exe
Token: SeBackupPrivilege	2148	smss.exe
Token: SeRestorePrivilege	2148	smss.exe
Token: SeShutdownPrivilege	2148	smss.exe
Token: SeDebugPrivilege	2148	smss.exe
Token: SeSystemEnvironmentPrivilege	2148	smss.exe
Token: SeChangeNotifyPrivilege	2148	smss.exe
Token: SeRemoteShutdownPrivilege	2148	smss.exe
Token: SeUndockPrivilege	2148	smss.exe
Token: SeManageVolumePrivilege	2148	smss.exe
Token: SeImpersonatePrivilege	2148	smss.exe
Token: SeCreateGlobalPrivilege	2148	smss.exe
Token: 33	2148	smss.exe
Token: 34	2148	smss.exe
Token: 35	2148	smss.exe
Token: SeBackupPrivilege	1048	explorer.exe
Token: SeRestorePrivilege	1048	explorer.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeIncreaseQuotaPrivilege	876	smss.exe
Token: SeSecurityPrivilege	876	smss.exe
Token: SeTakeOwnershipPrivilege	876	smss.exe
Token: SeLoadDriverPrivilege	876	smss.exe
Token: SeSystemProfilePrivilege	876	smss.exe
Token: SeSystemtimePrivilege	876	smss.exe
Token: SeProfSingleProcessPrivilege	876	smss.exe
Token: SeIncBasePriorityPrivilege	876	smss.exe
Token: SeCreatePagefilePrivilege	876	smss.exe
Token: SeBackupPrivilege	876	smss.exe
Token: SeRestorePrivilege	876	smss.exe
Token: SeShutdownPrivilege	876	smss.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
900	a.exe
2356	b.exe
2720	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2720	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2060	1968	JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe	30
PID 1968 wrote to memory of 2060	1968	JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe	30
PID 1968 wrote to memory of 2060	1968	JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe	30
PID 1968 wrote to memory of 2060	1968	JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe	30
PID 2060 wrote to memory of 900	2060	cmd.exe	32
PID 2060 wrote to memory of 900	2060	cmd.exe	32
PID 2060 wrote to memory of 900	2060	cmd.exe	32
PID 2060 wrote to memory of 900	2060	cmd.exe	32
PID 2060 wrote to memory of 2356	2060	cmd.exe	33
PID 2060 wrote to memory of 2356	2060	cmd.exe	33
PID 2060 wrote to memory of 2356	2060	cmd.exe	33
PID 2060 wrote to memory of 2356	2060	cmd.exe	33
PID 2060 wrote to memory of 1804	2060	cmd.exe	34
PID 2060 wrote to memory of 1804	2060	cmd.exe	34
PID 2060 wrote to memory of 1804	2060	cmd.exe	34
PID 2060 wrote to memory of 1804	2060	cmd.exe	34
PID 900 wrote to memory of 1108	900	a.exe	20
PID 900 wrote to memory of 1108	900	a.exe	20
PID 900 wrote to memory of 1108	900	a.exe	20
PID 900 wrote to memory of 2884	900	a.exe	35
PID 900 wrote to memory of 2884	900	a.exe	35
PID 900 wrote to memory of 2884	900	a.exe	35
PID 900 wrote to memory of 2884	900	a.exe	35
PID 2060 wrote to memory of 3008	2060	cmd.exe	36
PID 2060 wrote to memory of 3008	2060	cmd.exe	36
PID 2060 wrote to memory of 3008	2060	cmd.exe	36
PID 2060 wrote to memory of 3008	2060	cmd.exe	36
PID 2060 wrote to memory of 2828	2060	cmd.exe	37
PID 2060 wrote to memory of 2828	2060	cmd.exe	37
PID 2060 wrote to memory of 2828	2060	cmd.exe	37
PID 2060 wrote to memory of 2828	2060	cmd.exe	37
PID 2060 wrote to memory of 2564	2060	cmd.exe	38
PID 2060 wrote to memory of 2564	2060	cmd.exe	38
PID 2060 wrote to memory of 2564	2060	cmd.exe	38
PID 2060 wrote to memory of 2564	2060	cmd.exe	38
PID 2060 wrote to memory of 2772	2060	cmd.exe	39
PID 2060 wrote to memory of 2772	2060	cmd.exe	39
PID 2060 wrote to memory of 2772	2060	cmd.exe	39
PID 2060 wrote to memory of 2772	2060	cmd.exe	39
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40
PID 2884 wrote to memory of 2808	2884	svchost.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1968372.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21157544242f9630fc8ae21a0f476a77.exe""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\a.exe
      C:\Users\Admin\AppData\Local\a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\svchost.exe
        
        -bs
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2808
  - - C:\Users\Admin\AppData\Local\b.exe
      C:\Users\Admin\AppData\Local\b.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of FindShellTrayWindow
      PID:2356
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2720
      - C:\Windows\SysWOW64\win323264\svchost.exe
        
        "C:\Windows\system32\win323264\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:2212
    - - C:\Windows\SysWOW64\win323264\svchost.exe
        
        "C:\Windows\system32\win323264\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3040
  - - C:\Users\Admin\AppData\Local\c.exe
      C:\Users\Admin\AppData\Local\c.exe
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1804
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        7⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        8⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        9⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        10⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        10⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        11⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        12⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        13⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        14⤵
        
        PID:832
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        14⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        15⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        16⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        16⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        17⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        18⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        19⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        20⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        20⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        21⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        21⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        22⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        23⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        23⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        24⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        25⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        25⤵
        Windows security bypass
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        26⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        27⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        27⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        28⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        28⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        29⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        29⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        30⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        31⤵
        Executes dropped EXE
        Windows security modification
        
        PID:3992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        32⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        32⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        33⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        33⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        34⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        35⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        36⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        36⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        37⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        37⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        38⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        38⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        39⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        40⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        40⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        41⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        41⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        42⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        42⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        43⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        43⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        44⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        44⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        
        PID:3144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        45⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        45⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        46⤵
        
        PID:748
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        46⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        47⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        
        PID:3520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        48⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        48⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        
        PID:4272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        49⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        50⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        50⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        51⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        51⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        
        PID:4832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        52⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        52⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        
        PID:5032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        53⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        53⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        54⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        54⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        55⤵
        Executes dropped EXE
        Windows security modification
        
        PID:4672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        56⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        56⤵
        Windows security bypass
        Windows security modification
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        57⤵
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        58⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        58⤵
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        59⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        59⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        60⤵
        
        PID:320
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        60⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        61⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        61⤵
        Windows security bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        62⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        62⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        63⤵
        Windows security bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        64⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:5024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        65⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        65⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        66⤵
        Windows security bypass
        
        PID:4668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        67⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        67⤵
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        68⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        68⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        69⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        70⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        71⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        71⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        72⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        72⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        73⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        73⤵
        Windows security bypass
        Windows security modification
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        74⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        74⤵
        Windows security modification
        Adds Run key to start application
        
        PID:4844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        75⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        75⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        76⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        76⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:4588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        77⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        77⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        78⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        78⤵
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        79⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        79⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        80⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        80⤵
        Windows security bypass
        Windows security modification
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        81⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        81⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        82⤵
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        83⤵
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        84⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        84⤵
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        85⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        85⤵
        Windows security modification
        Adds Run key to start application
        
        PID:3308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        86⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        86⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        87⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        87⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        88⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        88⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        89⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        89⤵
        
        PID:620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        90⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        90⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        91⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        91⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        92⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        92⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        93⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        93⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        94⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        94⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        95⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        95⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        96⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        96⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        97⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        97⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        98⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        98⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        99⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        99⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        100⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        100⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        101⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        101⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        102⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        102⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        103⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        103⤵
        
        PID:268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        104⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        104⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        105⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        105⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        106⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        106⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        107⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        107⤵
        
        PID:748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        108⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        108⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        109⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        109⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        110⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        110⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        111⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        111⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        112⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        112⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        113⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        113⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        114⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        114⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        115⤵
        
        PID:308
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        115⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        116⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        116⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        117⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        117⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        118⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        118⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        119⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        119⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        120⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        120⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        121⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        121⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        122⤵
        
        PID:924
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        122⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        123⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        123⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        124⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        124⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        125⤵
        
        PID:408
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        125⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        126⤵
        
        PID:900
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        126⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        127⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        127⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        128⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        128⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        129⤵
        
        PID:872
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        129⤵
        
        PID:580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        130⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        130⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        131⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        131⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        132⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        132⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        133⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        133⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        134⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        134⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        135⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        135⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        136⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        136⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        137⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        137⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        138⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        138⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        139⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        139⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        140⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        140⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        141⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        141⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        142⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        142⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        143⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        143⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        144⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        144⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        145⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        145⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        146⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        146⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        147⤵
        
        PID:308
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        147⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        148⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        148⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        149⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        149⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        150⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        150⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        151⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        151⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        152⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        152⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        153⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        153⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        154⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        154⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        155⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        155⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        156⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        156⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        157⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        157⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        158⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        158⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        159⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        159⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        160⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        160⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        161⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        161⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        162⤵
        
        PID:408
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        162⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        163⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        163⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        164⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        164⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        165⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        165⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        166⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        166⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        167⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        167⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        168⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        168⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        169⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        169⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        170⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        170⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        171⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        171⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        172⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        172⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        173⤵
        
        PID:756
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        173⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        174⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        174⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        175⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        175⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        176⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        176⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        177⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        177⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        178⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        178⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        179⤵
        
        PID:800
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        179⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        180⤵
        
        PID:628
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        180⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        181⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        181⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        182⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        182⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        183⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        183⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        184⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        184⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        185⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        185⤵
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        186⤵
        
        PID:580
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        186⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        187⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        187⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        188⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        188⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        189⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        189⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        190⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        190⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        191⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        191⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        192⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        192⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        193⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        193⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        194⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        194⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        195⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        195⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        196⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        196⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        197⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        197⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        198⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        198⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        199⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        199⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        200⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        200⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        201⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        201⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        202⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        202⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        203⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        203⤵
        
        PID:580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        204⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        204⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        205⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        205⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        206⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        206⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        207⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        207⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        208⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        208⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        209⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        209⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        210⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        210⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        211⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        211⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        212⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        212⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        213⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        213⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        214⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        214⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        215⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        215⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        216⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        216⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        217⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        217⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        218⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        218⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        219⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        219⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        220⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        220⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        221⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        221⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        222⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        222⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        223⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        223⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        224⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        224⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        225⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        225⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        226⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        226⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        227⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        227⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        228⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        228⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        229⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        229⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        230⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        230⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        231⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        231⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        232⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        232⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        233⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        233⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        234⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        234⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        235⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        235⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        236⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        236⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        237⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        237⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        238⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        238⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        239⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        239⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        240⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        240⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        241⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        241⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        242⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        242⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        243⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        243⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        244⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        244⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        245⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        245⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        246⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        246⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        247⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        247⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        248⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        248⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        249⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        249⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        250⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        250⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Script.vbs"
        251⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\win3264\smss.exe
        
        "C:\Windows\system32\win3264\smss.exe"
        251⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        251⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        250⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        251⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        249⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        250⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        248⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        249⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        247⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        248⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        246⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        247⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        245⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        246⤵
        Runs ping.exe
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        244⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        245⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        243⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        244⤵
        Runs ping.exe
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        242⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        243⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        241⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        242⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        240⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        241⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        239⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        240⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        238⤵
        
        PID:800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        239⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        237⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        238⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        236⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        237⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        235⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        236⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        234⤵
        
        PID:308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        235⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        233⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        234⤵
        Runs ping.exe
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        232⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        233⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        231⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        232⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        230⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        231⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        229⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        230⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        228⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        229⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        227⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        228⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        226⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        227⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        225⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        226⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        224⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        225⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        223⤵
        
        PID:904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        224⤵
        Runs ping.exe
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        222⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        223⤵
        Runs ping.exe
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        221⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        222⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        220⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        221⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        219⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        220⤵
        Runs ping.exe
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        218⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        219⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        217⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        218⤵
        Runs ping.exe
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        216⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        217⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        215⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        216⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        214⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        215⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        213⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        214⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        212⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        213⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        211⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        212⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        210⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        211⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        209⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        210⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        208⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        209⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        207⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        208⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        206⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        207⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        205⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        206⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        204⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        205⤵
        Runs ping.exe
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        203⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        204⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        202⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        203⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        201⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        202⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        200⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        201⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        199⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        200⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        198⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        199⤵
        Runs ping.exe
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        197⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        198⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        196⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        197⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        195⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        196⤵
        Runs ping.exe
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        194⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        195⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        193⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        194⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        192⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        193⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        191⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        192⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        190⤵
        
        PID:600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        191⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        189⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        190⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        188⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        189⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        187⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        188⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        186⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        187⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        185⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        186⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        184⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        185⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        183⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        184⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        182⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        183⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        181⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        182⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        180⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        181⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        179⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        180⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        178⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        179⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        177⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        178⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        176⤵
        
        PID:892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        177⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        175⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        176⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        174⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        175⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        173⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        174⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        172⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        173⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        171⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        172⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        170⤵
        
        PID:308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        171⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        169⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        170⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        168⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        169⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        167⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        168⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        166⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        167⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        165⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        166⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        164⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        165⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        163⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        164⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        162⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        163⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        161⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        162⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        160⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        161⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        159⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        158⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        159⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        157⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        158⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        156⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        157⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        155⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        156⤵
        Runs ping.exe
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        154⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        155⤵
        Runs ping.exe
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        153⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        154⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        152⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        153⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        151⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        152⤵
        Runs ping.exe
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        150⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        151⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        149⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        150⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        148⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        149⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        147⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        148⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        146⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        147⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        145⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        146⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        144⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        145⤵
        Runs ping.exe
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        143⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        144⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        142⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        143⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        141⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        140⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        141⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        139⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        140⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        138⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        139⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        137⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        138⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        136⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        137⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        135⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        136⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        134⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        135⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        133⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        134⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        132⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        133⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        131⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        132⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        130⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        131⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        129⤵
        
        PID:804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        130⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        128⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        129⤵
        Runs ping.exe
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        127⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        128⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        126⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        127⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        125⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        126⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        124⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        125⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        123⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        124⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        122⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        123⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        121⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        122⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        120⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        121⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        119⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        120⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        118⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        119⤵
        Runs ping.exe
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        117⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        118⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        116⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        115⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        116⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        114⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        115⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        113⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        114⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        112⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        113⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        111⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        112⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        110⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        111⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        109⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        110⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        108⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        109⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        107⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        108⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        106⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        107⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        105⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        106⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        104⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        105⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        103⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        104⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        102⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        103⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        101⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        102⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        100⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        101⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        99⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        100⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        98⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        99⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        97⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        98⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        96⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        97⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        95⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        96⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        94⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        95⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        93⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        94⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        92⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        93⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        91⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        92⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        90⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        91⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        89⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        90⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        88⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        89⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        87⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        88⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        86⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        87⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        85⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        86⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        83⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        82⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        83⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        81⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        82⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        80⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        81⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        79⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        80⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        78⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        79⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        77⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        78⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        76⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        77⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        75⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        74⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        75⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        72⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        73⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        71⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        72⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        70⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        69⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        70⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        68⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        69⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        68⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        66⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        67⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        65⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        64⤵
        
        PID:308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        63⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        64⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        61⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        62⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        60⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        59⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        60⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        58⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        57⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        56⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        55⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        54⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        53⤵
        
        PID:748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        52⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        53⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        51⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        52⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        50⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        51⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        49⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        50⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        48⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        49⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        48⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        46⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        47⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        45⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        46⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        44⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        45⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        43⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        44⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        42⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        43⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        41⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        42⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        40⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        41⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        39⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        38⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        39⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        37⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        38⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        36⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        37⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        36⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        34⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        35⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        33⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        34⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        32⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        33⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        31⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        32⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        31⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        28⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        29⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        28⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        25⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        26⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        24⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        25⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        23⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        24⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        23⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        21⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        20⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        21⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        19⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        20⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        18⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        19⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        17⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        16⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        17⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        16⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        15⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        14⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        12⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        10⤵
        
        PID:308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        9⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        7⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        8⤵
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        7⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\_dcsc_.bat" "
        5⤵
        
        PID:2176
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
  - - C:\Users\Admin\AppData\Local\d.exe
      C:\Users\Admin\AppData\Local\d.exe
      4⤵
      Executes dropped EXE
      PID:3008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 216
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\e.exe
      C:\Users\Admin\AppData\Local\e.exe
      4⤵
      Executes dropped EXE
      PID:2828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 756
        5⤵
        Program crash
        
        PID:3948
  - - C:\Users\Admin\AppData\Local\f.exe
      C:\Users\Admin\AppData\Local\f.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Users\Admin\AppData\Local\g.exe
      C:\Users\Admin\AppData\Local\g.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\winsvchosts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winsvchosts.exe"
        5⤵
        Executes dropped EXE
        
        PID:1768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 348
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2296
  - - C:\Users\Admin\AppData\Local\h.exe
      C:\Users\Admin\AppData\Local\h.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2660
    - - C:\Windows\SysWOW64\svchost
        
        C:\Windows\system32\svchost
        5⤵
        Executes dropped EXE
        
        PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12762673072026294056-1517337404-1703614001379621296-361454646-84773501068573310"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-230867372-1331003347-52574181-1684494235-331469966767603051788273575568977895"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15649115361980966555-154575422552300431-20354563486883755208171922891121482073"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2141058224-595451244-1982783048647658245139935974311896629067258397791545457413"
1⤵
PID:876

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-942324743-16297488531284254472-14316115031976956904-367022702-922155307851793240"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "753472301-1555618400-70418092-1897776034-1092264050737571326-1689014613-702815996"
1⤵
PID:3924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615498168-27284221-9455360472418775651323036115-1723584851167244170799680972"
1⤵
PID:3496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18546131801272138047-642504726909653721261551263212261036-1644822691303265249"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11629433531374096813-350776938-575938864193875964812342723581787560272-2087723214"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-470670678417080417-4041380942044326440-938379961905734365-968387333600240652"
1⤵
PID:3672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-608076965-1946896064-96116176-939408728709782442-161429445-1921123961760354837"
1⤵
PID:3564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2102205469-24774061328611357382143604251397951892009470617852683801397507181"
1⤵
PID:3596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8438491741795028498-530524959-11313635881553228737-17530651724177646221896595619"
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1968372.bat

Filesize
192B

MD5
9ce873ff413f84778d7aaf490f71f837

SHA1
32c154bc072fc1fa6c1445f7058d98c7822ab6a3

SHA256
091d1c49b3faac23163e8646b110a930694dade5b15371a6936ccb196144c0dc

SHA512
130bb204e35b084920385fa3c1da8571f01ffb8069dcd58c262df79f3ef60c909a2679116bf56586396f8a0fdac96144f4f4a4c1e88fb6c1519163b476c6b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
c82838da882fbaa7b7847f01509f398b

SHA1
8ccd69367513bf940afd1d1f2b1b6faac1e6a79d

SHA256
de2a6b27391accac92110bf953de698ed83669b6c59abb8616392a3c1f10f1e3

SHA512
ca2865875b76a7903b54966aa5baa2369fa63a5929476d6730a510217422267b971c7c4df51707fb794e1762bb9f31d46c829d2ad54b432b709bba81d51c68c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
00a9c75a24e926ebc065b580a2b96cc0

SHA1
4addf21053c04d23aefbc5def9e7dff95c35cbce

SHA256
11b5d031130e23dc176f23c00bbff3f1e04233dfe5e593df43b4f7548b3d497b

SHA512
7546a4125669d08daef55280911dec068cec5aadfb3ab8236366500d9da964dc5bd5194d6ee23521f3a88a4da634d11f7d0ca4e000038965ca54042241849b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1465d6ff48c96056deccb010383b1ebb

SHA1
c02645721b79f610002e575de1f37fe1d337e9e1

SHA256
3baf6beeeffb13fb281ed9741c320a84217e89be34efc82f0328f0c93e919d62

SHA512
4067df68ca2a404c8bc79c1ec1b452f93c080dd31d22f7bde3934706d4021d2fa6cff57dd5a2cd713cf8c2b7b835bb53853ebbb46c0e13302010d40d06ee1ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fdcf2b04774ee90180b7f9c94d692441

SHA1
dd2b02caad215c2cc44bd9a50a179d59309b5433

SHA256
9b4de9ea2b2b75ccc00719a8ad8e72bc4426e9c1cd85c8093a5c275ea6f855aa

SHA512
ef5e90ffa9e69697aacbcd80bbaa0523c0f728d13d475fa8b65251cf36d7c4cacd6a9ff4d2e247c1ff5eaf80e4a2aaaaec8bdf657334d0928438ba1a2a7572e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e365903e95498b0ecaae5b454428a044

SHA1
f8b6037772038d68e62ed04b52c181ea1e110303

SHA256
6d052d6f01642ea0debdc8b504cb3ad5051099f71270bf0bfd864b0385fd1e6f

SHA512
8d0e01d27ed225b1ea4ce3fccd0fc41622cd1bd179063a8f0ea6965a99909770ef1efd441f45d7ba1d53c52f65e50bf625e29f283d218ce0b3b2fb08cbde2c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7682f611225dc06c25ebdc67c806fc05

SHA1
b837c1642ec0e579986bffd2effd23c92315488a

SHA256
7c08db4a92f54ad7d435c92bf3953f05ecd57787963eddf6e372681836b3de95

SHA512
5879a6d2349c1dba53e6dca311154f800448d09e97d06c15150fc5fcc6198a032a6442d49201b99ea87af96ec448d6b3c8b87d77da743fea1641cc02f50478e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
82d97b17cb66b1927b3b6d4c1820490c

SHA1
31db40183a3580057567a038c8b47e33c6bf85ef

SHA256
67474874436e57e1d2d6ab7b3e210418ad75c5977456e18d574872993c606308

SHA512
9cb559acb97bde41d499fdc532f5cdf7d99588efc9f9a1f220ca58d26e2f9e5bd1965f7cc4af7546359b551a304d5ba223869d1a54c427f80ec47ab0281f6ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2405b5ae1e273c23c82fb64201a01ab4

SHA1
dea6719f9de86761c9a637a799949a7df3abd319

SHA256
d075436c623ed0a21b20398a8593619aeb8054b3ced1b478c5d4b8d884ad27e5

SHA512
a1bfe4d81ed2b656cb96dcd09f5d97478eb6699db7ddf112fe6f782a2b726cb725f319d3f891c86ec0ee950bbe562f3aa3c01f17aff85db71657b1fbf86b6699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
60579bc7418aeb12f160d3aadb8461b4

SHA1
c79734d2afac0ecea866db01d9f973a88c1353a9

SHA256
9d83eb69a636ba06a9945ca34d0695d26b7afc89f6809edb1d4a37d1d74c1bd6

SHA512
5e6a3fecb8b825a2afd4848ba4ddadd1b2ba97aa4103a6ddc660345ad66175a6bf9dd1202e7ab1e8c06d7e3c2a4949be281c531d5d7da926b938b220db9bacbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f671700176f071ee14e1c94958cb2b76

SHA1
0c2b9bfd5bcca19c99f4b8928e6ad21933d9b736

SHA256
9af5242822e5ed266c78b28109cf5d9f30e12434f859b8a447915e50050cee84

SHA512
87bd10172c1429c13bb1d0b74d9e00d539188fcab1590b5d8fba68b0c2cbd21e41e18b21c7d52ffcd8ebcb6cfb3858e89d03d8b1b22b68f0fa559e621e86225c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f31478b00e8e5b080e26bd92a15a5552

SHA1
5682120e11756ac9a3c68d094410957075a3d218

SHA256
68d4a3c0d64d245e25f6620de523a3f2f15c031a5dbdae81ed2e0ea8616b4d88

SHA512
4b5507d4ad3a3dff7b75706f870bc6cb955c9a178c7472c25153b71407bc57ed18ab3d028bab7afdfca67aff2eb7cc18aa2ac10974de7fddeabf9d13e698d806

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
84da0042f7e8903d9080a1ea4b97a93d

SHA1
76368e78f244e4021f3b2f0c1bd932f1c4b26ee4

SHA256
9cdd804485cd59fb2d15d0fc84804ece258721966ded090b8443333eff85a3bd

SHA512
5c848c14361c61e5f0d8ead646dd2d8922b23515b0bec85d54cf9c20dc4900632a722fb3c50e4226dcaf9916acc0a65f7e3009e09a9c9d8eea1bf92947a695f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b7521177d988dd719752204cb7ede8f

SHA1
174e1e1e815a52cbe4ce5b2e38caf7a55bc48dba

SHA256
3b7938fa4740718f8768d6d4e76d8dbb7ffbef65d5aea6f86a250d154f0909bf

SHA512
72e77bb2554bbc23177e3d59db0daceaeb008420a8ca0dfb74c0bdaf20edc91e0eddd949d3284df3fcb7f975861834c718d2cfaa25487b2177ee7d4217a292df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f79c0c45314aa49398da3aa2246b7cff

SHA1
87ef85f6ba7c411de8321877e28da528cdabd326

SHA256
14432abda52014d4c241ad2cb65e1075a74e635f98dec06a61fc47e168ed6d55

SHA512
143765e773bbe32d7511a9d79359fd9b01f375b6b9ff92349e1c829592ee7c7c8de62bc097ad28acc0c4dc344cd65dd4abdf817f91d0e6908bd9a0f9afb82a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c6756c485f50fee3394eed0e25f89dd9

SHA1
3ae157c9a4540ee55c29889196d9266091ac21ff

SHA256
31cf47e9c9c161d9f37434e62153d718450500173440ab603e928190164c994c

SHA512
a5561001482bea78ead8091539e65d7a9c48f9f923ece5ab5fb7a6cb69ce86b8b58e952cee7aa7fa5f1b34d733957cc370f6a383f57dc16732161f99c878e2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae34008528ca3bc6d092e53bbb25e9b7

SHA1
0d3a18e14927aab099a64f666b1cf199d4aa35d1

SHA256
6644709f927255c822fbcd1717e275dbd90af9be26b16b72e663d2fde4987bc8

SHA512
8523ba97a3d5c25ab95920282ecff7037aad04de3d2a648840995b0aec81a44f1afe02668d1a2e6fcc99c6e8e99948b6fae728453c62247af852ed55d5d01a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c498c8fafd614ab91ade88e4a0435c6

SHA1
5cbc4631624144c45c357973fdd5b23039b0fd3f

SHA256
9bc1549257f7bcc9bba24ae6adaa440314c775f41b34ffc8e04ce69000e7193f

SHA512
e70f4b5b5791f8deae98bf56e6605cdbc7e52fb3a6c5cf41c0396b2037f1383d0b68c4dc3f910710e0282dab959027d93d4e2debb3c9b82dd9557244178f1120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3346c3222664aa520a869561a24cfa49

SHA1
b30db0d1b8ac66cd78ed9aecdaa05efea191fb30

SHA256
eddf4f23709afea1c02a51430a17c97f19952b0890c4586ba53d31541719aa52

SHA512
5d945a4718c55c5a54df963d7a6195644b2222bd9456319c7f69d719840268eb545a385d7a8760b258efc0f90bd5a39df58fd51229155d38d013b272db3046b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
848086d2bf9cf21eb2bd3c88332f734e

SHA1
f910ddda3da7c187c5fcdb20099fd9ec10e08e10

SHA256
769190e634ea5375698d699c93bdf45948ae158f0b55ed9215920ee2f507f02e

SHA512
7b2405d5d088cf2d52788a130a50899a69cb9f32db16c2a300d56e3f2d93bf42c93414df96a4419cbac28149d78e618414ad377af57f4a374798cdaf4f55bcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a0a83890a72b279c4b0c38a342568cf1

SHA1
8311c5f2d5f1c1d17626c5c2235dee1ed1f4345e

SHA256
1fa8f94bbfca3b32d56f0cf77a6f5b5117ee985d643ef992753918e91ed4ed46

SHA512
5d1a937a0b669c9c33247c3e452b155742ec1618b7df1174e4ca7117f756b9e34c6e0b1db0a1e26f74124c3a5a9e463308d3f585e148912a3dfaaab955d0ac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
173092807aefca9d565cba7703455c7a

SHA1
4987c63918c31b7d27a320699a69979cab70dc07

SHA256
91e1a21530d2b6f8772834585b6e5066d00d6b9d72ae7cdaf319ccf8ec30dd23

SHA512
2ab1f10557dc1eb6923150d2104e129903a63bcc86823c771d2b6c40a2d357bd6f004c0094575ddc591c49ecf8bf16b3c226683fec81f8c939832669ac3fc424

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
566a4c2bfef34d4e6e00a3f544507e7d

SHA1
6f0e6ed800ea112278220cb15f23dc73a68b86a8

SHA256
7c3b8b5c022ecfd63a093cfc2a2360429a8e61a528d6c3f909d7c6b3864e5030

SHA512
f095dd46857079788636ab5d49d492b2be9a4aa6c9a14a589d21dae362df9d3629f5119df99bf767a6ddfba6084abbe27bbff60e39b39bf586a4ac3fbafd21b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68b3b83c779917b00abe80faf179cd14

SHA1
a1f11390ce88de90961ec900fe1187691c2aebfe

SHA256
a8c020f319c4417a778ed5371de42c96df98357c787f74ae2c19fcfeadb280ed

SHA512
d9820528532021c0e16c6e1cf89ca38a97e799dd48703a3706afcb6116b15902a0359b7435b010c7e2ce3df5423aac5cb2b3cb453ee00efbd159de9561ee6734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
98e8904b780e40234b5873e5dcad89b3

SHA1
3e33992460969e7d9f3aad113f8229a95f2bb5a5

SHA256
c86386e2294b0cdf36cb87984f676a409246beea5e85d30d1ac87839abd687d9

SHA512
94434b09d342e37f462588802aff7c98bf920b2b1f21feba68a81ad22f4b3bf33654447862e550819ef17f655b66af463f1ab02085ceb09d7e43b91ad6d85e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6d054bd2e12661a1bbaeb5598091c15d

SHA1
08b118b49ffbef177bd5251cb366b45a74fe5dbf

SHA256
64c91aee750d02bc88eb36a4f3da0a169fe3144ab3a2735141d9dfa8a3f55370

SHA512
79fbeb66ae3d26e7baa9011399a26229c13d57784554729787a29544d13393534f84bb5c270fac4c9f5ae21a908418ae6d466c51ed8969df4509dd1d4dfd1021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b23d9e64bc2a8a1107a2db5503f56d5b

SHA1
49ee2c7ecf3b9d056d443a5264672b9a8d744ffb

SHA256
e55f444b44d99fe53ef1be2a55b761bb5e4076250ec6a9932dd654464b1d565b

SHA512
e990225df7434afd38121eb54db6cb9061ce5f5a71ed4b1b566550137163236f7a93a77b1a8a1bf0ec04d5c48453829854177afd13587e7449a8928077856153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
141ca852745532ba7d523036ccc871b5

SHA1
eea9813ef175e3ea6f7c51cdf0c0ed3a66f4c11e

SHA256
878964ebcb8acfcc3eced584f36cddd3d97fd56a29b985fd869e938b9e67ffa1

SHA512
009705438cb24b10ef1136f18a9ffd4faa4ded138b22b08f62180861ca03973d89fd9845b8c771a1f0344e6361adaa17cff6b251990604027224794b2becf08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4a841ce628f8627a5acb84f7ecfb9a65

SHA1
0900153eb62d4654a38c6a3a7e42b07b0db0e82f

SHA256
066a69f355f4f6b079bbaa02d420ed719ae2f2bfc435a9b9f49626bc3ea2bd85

SHA512
ad77cc3a24925d9c1e6fc712b69f8e1558d1a321768435e7e948ea71fb4ecd1628935ed283eb8186ac02255ef679e72dc31c58f090ec6a0fb34c2f69b10634d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f0ecdf9bd030a343d418e6a0bcd5ca1d

SHA1
f291828295325b44d5a489809b518595394d0d30

SHA256
ed349c37e0c98cee690202b66213f00d79b26c55fcacb9011f41b5e6ef108b52

SHA512
926be69920f10cac49d9f33c1954d0e5c124cd6a0118b7af0deb633cea342e9c44f4e0ced212805c44a99b9c580cd47f859a0eb0e371e679073ab11a6bd7c621

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8aebdf22453000bbfa7e6925f501afa8

SHA1
6cb53ec4a1dd7814e2086621ea181edc3c1e15b8

SHA256
47bba9a093205d0c75e9c188c74c0cd44d9d7725aab5825743fca57f649606a4

SHA512
3ac8ddf6e2c0e6bdf6cc05eb098589237bea40b71fb2d3eafb048fb97422e9692e4e4d6e46057d1614c1a53ef7d5d662606352166d2b91ce4c70e7bdafec4bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a42f4b50dca8cb21be6df394f1da3450

SHA1
73df5feee4d625a5ce3831c07ac684015574377e

SHA256
1eabaedc68ac5e6893cbd7dc08018a5fa05bfdf35992a577d00c8e6d306ef1eb

SHA512
dc8ecfd22999529113e5cd30df5b57e56073a33d072009a227ae6a3160fcc4683943d6e62aa9ec82056aa4942eedded0e60047f46b3f64427b4211b5ee508fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8e10c4c7c4fe5c1f25e9838d35693eb6

SHA1
342c6ded27b50664093e1403f746f44a35cd94e3

SHA256
642ed3e3a241f982e78fd3d913b9b0897ca922e8f38d2a280cae1d10fb936139

SHA512
b3f236db3b32e91647a494514f000b8d7f454d23b723d92fbf5d425e743556f7d85dd22c46b44f925afa9a0c8834b83d540651c8425d6b53251d75f31bb7d598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
41fc19a6cf3146d7a7be59cd1eb73810

SHA1
d5ab67039e087eb10fd9043cd3f4372716c08eb3

SHA256
4ac93232bb377b6f6274054316f8508db76f905acb23c4e5152c8471133648ba

SHA512
b7344392d443d1c9a82079814fe53f31e99f0b9b4406de3794eda2b9668a33d18862aa6d4fa9faeccb911d41a80fc36c5f946cd2ef0a4fdc7dc9927941791e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
52128f65adbce52e34a13047858eb317

SHA1
674cc6be858e25b38d6c9200bcfe31f3391cca2e

SHA256
4fefdf3aa2b836b32f2e4e0de1daf1273318744b3ebb15d1d037739089c65fd2

SHA512
2e2b5c46a985cab7d5959b8f1a765b3a52d51731c2eda71dc68fe1dff13f2b899948d7c75d67a5b118788a3a9473383fecfe831fb85461f8ce35ecbe8b968b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0f1c334b07a4223b104b9d1c22073451

SHA1
096db089297fd99ae068f1d62e74a7c6b83336f3

SHA256
b8f60cb5adff3b27137ebc92a727f59055622d8120464882e270973d07b9c060

SHA512
eed376855c249e66fe25663bebd10f57c88a72c6a3360db5c52d8bc49fa84a62f8312aa84002f1dd474af97f98cae8ad7faedf690462e00f950b0d6dc68a7730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6ee0745f42d104184fecfbb54fc2709a

SHA1
c8d58568dae1f0ff9aa2780fc7224772697ad7ea

SHA256
96bd3da43f8bb66d11da3d97686837ba6d741c3db4d732ca06336f481ac558e6

SHA512
d729ce051c17d515794123373c7436b0b0be511cb8b2e4104dd8509a6cfc58dace00f6b269f5c1255269b1e3feccef3b8984b35a58d674e055ce053431e06b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c680640367b8286d7439a66260032d8d

SHA1
e4bd0a334e26d9aea702e6d8ea6618b04ccadb0a

SHA256
509042404fa45d5b2a20993956c991dcdad82c4c3024e68d264cd7ba39bce591

SHA512
7f8c0f6e6b446b4b1e4b89c2997b14b1957bf835dc88c2c84801003ff318c9330e833564c076eb70c3162108e3fb063800873587cc66970a25d975f552ab1e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d6c75f12ca12022467354b5e0d0d36f7

SHA1
ad8c645c9ea729e885b408a72f2f88f4b622c52a

SHA256
33f7a37db637f1eb7da6dd822e773c918e84f4fad2c6987fd4a7acb0563b6051

SHA512
4fb4c851d7eb44b8ad6e8dd53b7e6a1000ea636c96b98e0471b6c177a93218560a571869f573393c34152ad20e3401bc2d9c2e760b828ca43341e98f81d822e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1dc34f0653a13f5f5afc8a5c6dc557de

SHA1
d6779c489d267038ec1214275c3db3db02375dcf

SHA256
82472f3437bdf452b0a9c3faf4ba131b924cea9d9923a1b82c4863b1734c205d

SHA512
2dcf0b053e71b6dc156d86a94d2678a48e4b8dabd3d49018638870628aa3013e0144200894c909ac6cfc855393f8d3bbf8c5827e467fb5063703f074382e6daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
691ff2acf028c41689afca7103606eb0

SHA1
e65d6202f96a41a5019df114915b3532b181244c

SHA256
d6d25bd77603daba873d2a7b9f2f386c3dd86670e9f3c1d89540bb5338f1fac0

SHA512
a7e50e05f07acf3ab546e171ac6b280f5d58e994c851a0ca0c58e752fc75a0c065481a6267aafb481fe97f28a801fc2ba4b3525584879071afd6a004dd862bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5e03f8eb6346cd6fa719dca89d199f05

SHA1
3b0b3bd8152074daf160ceeaa2e0c1086b7d3897

SHA256
a32f380c2e7a8e7cf96398941f794aae0e51529ee95cf3e9f31fceca1abf092d

SHA512
4e716852576cbe468f20e878b064acabb1664d3eee629c761c94a040d85841f066d6e81488bc1786edc352ae0e3936417678fb1f67625b868ee511a03e8742b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ccc1ff68f6e546e7539259a15de8b280

SHA1
b6daca0b8891b664b52614db7d494c28c09e568a

SHA256
65ac6f193a0d0b861de4fc27aa3fde5f939c7fa93d7e0d96aa520d7e8ae68e68

SHA512
17ed23a14612adf96734966f9d057c076616cbd569e6a48a238243f6a271b701110d72deacfc91f2e2e5cbb53b48c07d06240350786f41af3e5b330dec133682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b04e73181bbcb4078ef3af4383fb287a

SHA1
81d8964f380662cfb783ac7b97de4f2836c03e0b

SHA256
c3313bfc0db6b198e461b6bc811a5b2ae7baaf2bf66a7ebff14ecb861649bdee

SHA512
e17a043f7a1425aefdf1d43db544feca98e15294515c1576586dab6da8782c11065d948c25f9cb95a507e95ae94bb6606e158442856dcf73b972bca651eae50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bcdfb768402d68b8018c8046420b0767

SHA1
932b6c7c8230f6ba358130fb59b6bc53f89ee78c

SHA256
09bcc84a83cd259a3785388676ce89c9bdfc33d6633684eae37290fede7915c4

SHA512
9ea17c32db54ede0f0e5d5297b400eeb3ee4da19005ace122d0a06572612ab5a42b7a3eba55be37c128964e8aefe9c19eada9d702293aedd186aec55377b8770

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02f27f819c24f55f7bea00ce03fcc93c

SHA1
95d9102fcd17bd3559f5f7ed53aa8263b4acb516

SHA256
e5864da6008f3f72aa1e903be7d67db26ee0adc4f7a11f6f7aa32da1cfd1f6fe

SHA512
844c66f18f63768c8c270209ba5d0adf0acee8a9f6b2b3a8cfa5bce0b93614d1c4aa4a6f5bed23437d3372147565abddfc37698f3ff5bad170b484065e937ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9f3578f82bc165387c68e17f69ce9549

SHA1
bb040f3ffbdea839c4ce592c76402a985fd75ab6

SHA256
62ad64c072b5944c5a6de217f52baad9474348d8349fbe1542107957c412c9d5

SHA512
f564bf84247d187b41e66a65ea418717f2d4e7a6d97ecdc3e3c7b6ee71723c47466bf42a8a3eee38a74c89bb64471767df31fad9e593dbf3c0e9ce35a6800a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
95470859185cd2d1616712e86beace08

SHA1
02541f7b2bf5736fa06555b2d1c1e1cb3efd0158

SHA256
cfd37b6b098d49eba8cd1811016ec7fe99eaf3d9ae60199abfbdd757647d6c9d

SHA512
4fe023c92a28cf933d6224ea8c849ed5c9a1b7de8f62439559aa99c8ff195394f8b855948ad98e41ed9390671fb3cee4a3d8b27f0373f5ab8bc475ecc8a1ee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
27cc9d3dea8a59610c962d8ea48ee438

SHA1
f9a2c1cb303ac43f7728ba72f364a73df27bbef5

SHA256
1c6ced9a642bef3b22ad3b066417fa60cec45c022999339b3d94035a113b78c5

SHA512
9a13188f2dfdcfe9c21a8f365fb9ad1a304dfd661a5535539adccc971fbfdf9ebd9e209404913718b9a3692b69c21887e50990246a4aa32d07272d6a05988ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5803ac6436cba1f41f71e5f371b41f29

SHA1
dfbfdaf32d765fa33e0c819e5031edeccf88598b

SHA256
b8239ce2203d7050f1d31317188269cb3d03008c3db762da1979cca674084f20

SHA512
29c8e8482c81a9426678c0ec0716f29e52137187bc3dbdd88aad12eb21b06dc0a63457e59b4048f9999e1d5bbc96ad7545c421c72be608a72b7fd72c9908f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2ea28461b757091c5791014dc7005335

SHA1
2dde4797f5406d673a0e16149c57ae8f5379bc08

SHA256
9406a489f989b9a7c70807848ed48804aa80727340d82147767b7cb939086c48

SHA512
d145e334e36ffdee26e68515ec119354714937ade6b68b68e3f138d5e9465de553503f9f3244dece26849de9e84da7bc7871dbb555339acaa3929719dd34eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a541e229402454c06cd53ea120ccd107

SHA1
3d6aaabaab9d756f57cbf44b0fc09e145d7d5749

SHA256
7a629dcfe94af28d43d49f4092df873dd0100fd97b18f27f413d221d800d84c7

SHA512
ffa34141301eec54f9cbed16f6f74df27b7e0de0ad56c952a7246b73610c8c1f400cadb144196dc0aefb2394eeb1ddcfb9e8ec02179b424138920f2de9ec2136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6d2a793daa1ca0922175fd70590ee3e5

SHA1
1fb2e86850f44d964f130ecd8a11d7cce1fcc685

SHA256
c1ccebb48b72f9ba3fc7223ffe8959356e5c70d0e29ec5ed321fde489f91b403

SHA512
bfdc00f3e5d9da3fea038da2591d39c0ff6e7f106d22fe719716cfbc6c3268d1bafcb98b66020a3cb61980ae95036f3f98756af8d7420b382b4b91bab243db92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
34e15c2059f775c23f51bf01329a72a7

SHA1
42794864d2c62f9a73485f8af4c1c25ed23300c3

SHA256
e72367907dabe208f6137a860edf91b80fc6b58435a0f0eed8212a26a4e1eb8e

SHA512
3e68b2a93f48dee410fa1f4f8bfcaf20dbc25226dc96e2c00248e6e0e5e4e9e1e185d2702bf993049647c0491fb2e4cd974f32c42d76f2f45694651856cf86b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58749b1c51084af569b34e9a2401bccb

SHA1
b7f550919f7101f0cae8bf3aded3b1a4cc290e9f

SHA256
aa721bce316367baff4b311a3b26b7ed5f60dd1aa7c1997b6e05e6ca77449c73

SHA512
82e951987929f11a48f3f81c2ea35fad8ef2563fe822c39565c2b2e552068709bc9279c3b843a512ad527c0ee019d35b50dc6c211e396c5c6ba5a10c5a5a0b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c23951a79c10f00fa7e813ac67820eec

SHA1
4d208b0cc89756b7acb27e5a3dc383ecce94ae78

SHA256
3fc4fcca3421297999ce01a4a089148e45f2a3bbc9424986a06a04e41c5cfc45

SHA512
a363e34f6729924c3ab7eea885d3692cf787ae81fb369de9c49886ee0e7b637367748187de1acf1ea81b9a3a9ea297557a09985423bdab8f8ad3b9edf4896f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
677d2d68ee4e6cad729a315f388d16e7

SHA1
dce4f40f771715ac9126d07bc3ec134642bdbdcd

SHA256
b1d5e7f28fc71137813a98045db3750ac2782de6175873464a9656ec35e2f949

SHA512
bbbf1e269e16e9a33acf98a6d1f2034030942b006fd5794b20b0a0304c562c774b0cff7a54b4bc06f8d8e81369c26e66a59e3d30b5dd6f20962669b823b3aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
46d63d725a862a1f12fe8cfe7e45dedb

SHA1
ddde926ffaddd8741d4dafaca89b7dac63b7c2c8

SHA256
13582488f7a450db1034fdffc5afc575d25cd73768da623e2fc607f933b095c7

SHA512
3c8b841bb293bdc93ccde814a7a1740dfd0ec33a02f7b6aea56ed6ac5eef341381701741a24a6e79ba0927db103d3867e6d2cd1c7d090c22e4dade09c3097894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fade02be3d1381a07ff8bb8d8614c237

SHA1
476b27b0b3d0c84b9c77e18d01c1d25fb8d56e80

SHA256
a16a567738569d727da739f64dbc5cfb7fa7dfee9f916cb869c600aa5fad1190

SHA512
abc4a5ce22aedb6339cab310052741581d7ee2ba5398e970d56741a1cf39ffb0af16d8d3bcdb49a371e4f6dd87dda7a52dc9e38d70574b43c438e735cad6802f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1bfd489e61676efd8f955ca6d79b63b1

SHA1
b9f40c690087d28e0badf55573eb5080190c5e42

SHA256
73bdc74f447f79796c8854a8b3a9f7b0d88f6c8a4a08f43b0fac590129637af6

SHA512
6c1150f32ae4adfc39c436db720f6ba10d50f977f08bcab62b740e6760e94d44eee29bd23c8826e3850f3b5baa6ec6c110987d7a59a0500e3c0c8dd2bbdd1d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a16adde4120c6fe562826fb1edcb6d1f

SHA1
7495c05f29f566e6578efcc37ef639ad9736cb9e

SHA256
f4fe62ce811ec2c4d24f1888c5ee370605742742f4243ec4bf9696959e5d0fe6

SHA512
6de45a80201ed19317d6edbf56947693476729196eca6741df28a72e82fdf96cf7194979b517478e3609db7695f7be71232c8784835bfaf772c602a5fea0a4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21fa759c202b5d466674ff0702d051a2

SHA1
e1da6c25f89afb18c63fa04d98088f56267d0e6a

SHA256
81ae031336ba847d5448d33e4ba113cc2344255dbfac5f1a0c8077388d66cbcb

SHA512
1834363030458e0ad707d3638afcc27630497eae30f7d900748e94f814c66dfa36a8ed66953d5d5ef0db0d32716afd7fce5becf123d83f8a3584f68f9a611ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d3bd6192bb0e9fd3e3a313f9adcadaf

SHA1
735ac23bb43784976b004dbc596b837908cec7dc

SHA256
81578b4e97531edf574086ffcc75d7c027ccbc033db9bf48225f84ef0efc973a

SHA512
59c366648ad7b4eb9046b5ff9376e4d819b4cdc4f6756af0aaee2cf4a9b28dbcf84c367dac521e2ba7f115367a44822ba0afb15783d4e9260233508679ccd3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
75a9ade1c748e7209aacd922a95b41d2

SHA1
7336c4c214d91bd6abf295817c731c3635b5660f

SHA256
2d61df3d4941da657356e338735a9ec8e7284674215e3366e73044fc038bb79c

SHA512
3796c4d7235abd1f2611ae8e6e116b83d69432183e226cb35193b03e3e90b207f75821340728439c186bd935655ead278ec43cdfd30e4e75c76757aa1fdacde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f0ff68a238f972fd3cab4f29bed5a694

SHA1
4c87a44cecdec9772052887fd4556a8a83fe4bd3

SHA256
bbbff00d1cb5f1322ba4f834adbe26351b1a8cf5bc959ab62957430c8c048cb3

SHA512
a1e04c651e540969bebad8501063eb77d3e403c8d436b716e2d578a33ecfa9c74a6a81c0bf22eb833eba84d6e9d83764252298086e040e143988d7a1a10ee135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a311fb8dda5c15790b42f1f1a72afce8

SHA1
ae7ca46ff5e3496eba4f9c3da71c9e7898f8a546

SHA256
15a44d21ad65cffac2c67fe2b963ccb80e6277f1e7e03c538342f88e58085631

SHA512
8e3a9fd03dc9fe0431850b62857543dea7aa3d3f924530fcf65a2e84e0ba97fcdc1406c6f3389469962875f0514e0cb405fe3c4248f99f9f75410c05c14339c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
609a86756831e58d36b7416919fceff5

SHA1
a1f4265627599a004f643fea13ce89555cd6572a

SHA256
6d85167bafd51b126fce1f8b6c87cae44482d12598e23923a4abb0981ca3586a

SHA512
ddb9c016d31a3427ca54c89ba93f19d86ea0298efb6268286fdbf3760b6bf6dd938005881189851b052e6d6127f30591633e3d235cc3d0a52c3d9a73a04836ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8cf71d981981915414969c8667dbd19c

SHA1
7e8593e2fb65627385fe61d0dbce25ae8df2961c

SHA256
b8fdd59d2096c69344932cd721a59a384154a2c2c9507c912dca3657c3663eeb

SHA512
e6ae2fc5cb309c5494796088697e2ec084d4d8c6905b5196fc2e1e4853ad27951f808e7144165db7e7e3fc057464f83e4f61cbb9bcdd25c12314d8b3861a1643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c93e8d85b31034e76beb84ff20817687

SHA1
2ba8e97fd5f2ebf65b113c529c2e2ce8177422c3

SHA256
1262c308eaf3cbab781ee43ff262727dfc00d5b3d6c9b91570f6f79e624281a0

SHA512
417b7239bf27d5c8c8fea4b7be6ca9e587259f09369e1f71e58cff0d280a05b0f60b2397a934b4dd1379b0e8bf3e28fcda9327efda5637b0552e3355a1319983

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
656aa257b438641723feae42bb945f7a

SHA1
aa1da3bd5a350b8f09dca400a75b3404935e4d37

SHA256
630daa27385aa78fffbb8919441a7cce6562f1a6b66a19f1292254226691bb79

SHA512
3243c29a4a1b8f90f460b597bcaeebdffe2cba0dd7c793f9ac40685ff9c1b58c37778165a0821214cff09dac4a63a266043a78b3f9433d0330db21dd7f54e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6bbcde514c35a6917c338d1a9cf27172

SHA1
20960d17e6db45cde61355b97f2359d024c9d1f2

SHA256
d8a759299ac4c779c850c5f214ca3dd9cb6f0bef79775324f268fc2dfdc250c6

SHA512
b678c1382c853d82b96872b4a6fc873d14cb370ff6da0028b78b9e9a99b3a4f2df2977de4e2d4804dd8a72443ddfa088842cb911b21fc134258c3e2725a6bf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
33c0658d5c99c1475f15497c03e7ee60

SHA1
b3163900e09002e2c89c85268da03173635cb4e2

SHA256
02364f3342d6bde57f515d94b5152e8438fad3601116971533e40e1c87938e2b

SHA512
242a65aa909719051342055b5572c12bbe5cd8c42c3cb3a35fe0ace1abd0f98c43408395935376ab5a5a3471151c160e13c3785d6148e2833e33571fbea3f4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8ec570d816129c9715a940c7aab074d5

SHA1
707bc1f12c6c187c851ba38ecf95e4aba87ed489

SHA256
a6ffdfb100446bdb8c917b009377fa12d47e1ad552ab7a641e2c5c3d2e6fa233

SHA512
8253dbb188ccba55da6291ad86b8b04efb7a4d8a258991935b6e88cf95bddf90638853d01123b785bd5387e3a8536100b29f4bfd9250f2e53a9743aafb46e07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b39c602f228d821b0e3303827bce8a32

SHA1
c0c51e8c0a9c605dcdbc5337e68b0c51bd68a4d9

SHA256
345f8c4347df3f09cadfefade17d3ce01996d961cfc225262c9916f69517249d

SHA512
f2a034579bdf4e9c8604b2165b84745971d2b1e9b329e6d39a42dc6069ea11571aadbc5cb106647df1f517fd609530d2fb5d992620f31a003592f1f51efae845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb53be31339f7c2bb3ec88c6a713a70f

SHA1
1e95ea0677ec908940fba1e1b7d28ac42997bac4

SHA256
bc2ab21fea7b1d6f6c0f576d179c9023ced1ab3a1b5f2f44aa6c52e1a5cf4cef

SHA512
4018cfd80f8d367d8f411a30105f79b9e624d8ea39468eb19bb241dbb744ef4ece04222b7911258b2ba80f4740b48427fb7c99df820871a3b3e1bcc0521e45d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
79be29d1bd78893c0f2f5af2cd3c8e84

SHA1
5aa2a0d941481f57a0f29e3c1a66735f4acb4cef

SHA256
aa83c5947674a64536b1054fb4398dec4fbb57519fdf4fb592421d36cd14dc39

SHA512
5c8c0a53f115cad5525f625809f732de2a95bcfce492df6a4dd937a495dc3eb4f176c1da86b738d1499eb17b6b8e6fe19a5d4a84680211446fe79642cbab342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0348408891114006cc4e12b1adfed4a9

SHA1
bb7707e904bbadbdf04969ebbf66080c1b49c267

SHA256
d3984264fe9c85f02a115b9f02be63d676f5c6ef1a57ed9a8d3a5561781a58cd

SHA512
7320b116fabcccd0be487aa5ca83910d1dc80a9f7726268e2d98d188067142c89daf68e2b2750892288406ce31d91f864689b46593b022a7af91d47e7565636c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8e83d954d2463ff62507266e67666a4c

SHA1
9312928cc6f39a7254b3dfffd51fcf6f73bc91be

SHA256
b1a0360e73ea76f176d443c26cd1a24d97c80599bcb2a35c7df9d8c2ecf43d97

SHA512
228efd3b6659fb7cb8a503f715953380f3fd22c9e31999c61ae4278b4390f08ba31e303dfdbefc3589ba4a1f26943306a4dceaad97264cc5f45d7f7360b94fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
75a6873b92ef77af7dd3c6f6196af3fa

SHA1
a498ecb221355ffba61de47210a1f9e737e1f840

SHA256
65ab2b9b519bd9ba1434c61aae7870754b30515ee3210a59d3027e5da9831668

SHA512
abe974b25f920c699e4d9a4585dc414ae0eff39971392592dc5ceff190193ac135a38683c97adfd6d3e50c01fc71616ec4604be336c9c4c6bc6a55c67cafac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c0b444c8278cb0effcab08641bd37f08

SHA1
59a215b219b4093f9f06fbc09b7778a07a593d8d

SHA256
aa9cb555dd020c8c3a11cd6cc71a726c7b4259ab88dc3db5afe8d9294f483ecf

SHA512
b6a6c95326bebb8916ae80c0b75fab832a118c7a151364d26707448bb6f8209489b14577fbc35522e3fb0c87d41dab93e252346956024f6303410b46b49963b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f599626f7c48ecba03509ebbbff10eca

SHA1
a73b6211d63446269cd71ed84ed4339ea2546b23

SHA256
3bdc94ce130cc8700b295edcbe46cfe253f7de4b0a0a6d9f655710c6bde347b4

SHA512
c45d3ca1506eb739db283f75605631b2a6e997d5e0eaae29ac300fecc883e73608dc2a2877062077c752c011a2575a2ed55f5caaa68110ce703c432a625e04a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ceba0141840d075375ef2386beb3eeb2

SHA1
b9efc93e73d728082f713d12a6c3ab33077f6b1a

SHA256
af4130a7cb4e71c4d2e581c33701826e6ecdc67f9393d4803f332b77826ba784

SHA512
aa71209ed95d18df147f8e7633070148fc29981c08cccd953679acdff408d6f9958eedf4bff8229deca5c4f731de1b77cd648aa43a3947f241bb41bbee2a4ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3cc970326206939387e0db3a8b69c60e

SHA1
643030d19cb484f9d1e4427c468a42c9741e2418

SHA256
6c8929546ffe845e1127960ec668b3121e6d20aaf4f68610123f7073a8368481

SHA512
dc0217423ccefaa3a152ed4d171abed8d0fc5ac308922bcd227f1fa14b5d11d12d8d047513c0b57fad25b4bff7c8fec90ce68b81b81661d2d2d85716cee4fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
84355b9cf410bc04c20046425f4fa8d9

SHA1
43bfbd69b2b9a6f66f545dd96b19b070337dcf90

SHA256
1c41e26ad0e154bc7ad23776dd67ab7aba3e540134136232cd84f986303974f6

SHA512
d6078f2ecf24fd39a6c21e729bc0e39535494dc9c55e2cb0254fcb5c5f6e24acd79113ef037dc02e32f2f3cad74e7608ccf0b3c8e771d8b33bf7dda0b6170d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c21d3b42f2ada6053c0fd00c7dbdffdf

SHA1
8c2aaef848cceefdd4753737132d0559de390a6c

SHA256
eb2f3cbdfc9be34d2bd5f9a86d2fee7b7c0e9891c90a174f65c6d8fe3ea56e91

SHA512
02f2fdc733cedc0c60442bd11c3b5eb6b6bd9eb2d71885a62b5c6a1f833606e4b4616dbb8cd5ba93d2b01bbcd1333e867e3428d66b0f4a72485b4887fcab745a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3371856e74a24294b53935ea2b3eb3b2

SHA1
6cd3919f10e5dae6d9e7816442656a476267ca2a

SHA256
d92184e76791e39adf44e39049953797b9781435f0117ff74629f80228bea06e

SHA512
3711c08dc473014d4f6ea2c930e75bca1bead59e92e667eec80e3d7f3fae2c2e89256b80c2d4adef1415d82c9a2ad1db071926946676b849fbecbfa439ad84b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
844fe9bf213c60a38530abb3438e2501

SHA1
de72d518d56156ef9f00e46b6929b11355d40830

SHA256
2764df545a1ee24ec4efc19b3be27bea072659f31158926e1601388a358577bc

SHA512
2d861199f326fcb56ffccd974801ce91afc4ed7b433b665b460878fe702ffc5781b161d6ee55484ba963bef14e03e17ead4653f069f0d87896d3c9991c15a2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2305e098fe0b0e83ce8c77f96ccb30e9

SHA1
2cfb7ef81f32a7133bb6666024b4cb2890c9f9e9

SHA256
8e59d2f7d259f28c412aea1b7e1e505eaea22e6a1dd13fcf6ac4f61793ed4fd4

SHA512
06ad620582cf84cb2edf5bfa72985b09bf3b740399666bd9478a6af913742190e511f2f0102ab52272b453b3dedbbee96fb3002298e5f430aae8c8a943eb1471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
860211c754a968f2f2083bc436dbf7c8

SHA1
6ec209de75faa639bcb8add08ade9eba75e07919

SHA256
9c9bc3744e24b668a458e038c250d778dddc41cec412033251b15de645f08f3a

SHA512
2a5d53e9c4ff97a15ec7b297e43dbf0f3352fa488ba8574b9a731f771185957c97de48a2f2d5c5f32d51f20cd3f80ddca5ef3061381545426438400ffac55fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a85095e4efa3578b04a3c9eeaac0151f

SHA1
8216d383281d8d95ee8db8708fbddb29caa79ea6

SHA256
d2652b7ed557f1cb770ec7b7d268dcb0681b60ac01d4a4ecdaaeafd9e645d806

SHA512
093da1eaa4efd309b998797f616314168e9b7a5fb41ddbc4f74954e08975a50351e4680ef34ad4b35d2e2a13008ae4ae62951a499692f539a56104eb1046771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4d3707733931720c7223adfabdd7feb4

SHA1
c478b103832ea1234114fb44f6055eb3245923c9

SHA256
3f8c2301ca88c437a259b5c2052e8eba09bb0df306c1efd0dc06b9a13d50418f

SHA512
85ef729ca1bec765bb4934a3b313180a165c6dc289565fba046a7e1af9008946efa7d261979f47b87b5892fa49fa23b8b249889bde4abe722cc291ba73ed12eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
22e1fed1660d1c1f7a670ade02aec950

SHA1
0dc26f50564d219e0324b06d39f86afb1cb526dc

SHA256
77d3f73013c99481d2692b8cee07463d619906853f3e7600560313519c6d82f3

SHA512
f23fecf38e5ff831a4cdd9c3cbfda5b38d825048f1a5f3c324c2de90116d6e2b0ca370f2b2c5d879a02cab9d846cfffa5c461f9bd19df806b62542d1fe6d6a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
53a4756348d1289c10beec16df6cec45

SHA1
38a2cd89dd819fbf5f2456793ef19c05a45a0717

SHA256
e5b67af99727765b30e2858ecebb9359bcbf5c0d309eccb5d366f3322d1ce8f8

SHA512
5807c006835adf88ddaf7ce16ff0c55c0fc8c797bbbbe8a0433c64b3234fe68dd120aa0f82e8e391007122f591a89384f7b970a015e07f37970d295e2f03d24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6b90a9f3d395b57b55be56ca75ff0f40

SHA1
c1e66375a49257ae4efc011400a879e73953379d

SHA256
850e37e92aa7c6f1a0c1d0eb0d1c09b73050f97a3c0a2ed6691ff6011c4baceb

SHA512
cc7f395ffb79b93393d867ab9ab3b6731b42d1a6228f3ea63b56db1c692b4a85bb510cd287dfccfca2d83f1ca5eac23d7f34fc0a8457837dd6dab3064466e73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a60fd2329c1c026b0fdd1fdfb6c3192f

SHA1
4ccb66797273c966963647cae562364eabe26cbb

SHA256
953b312d13707412f13816be3f61dd9aed3453cd8e58e8cdf3cada5ac352f36b

SHA512
d2399299387af1dcc2b4f6ef730034b8fb37a6d762360ff1e5238a467aad6e3aecddd6df49514710387ceae481994802c2ad2dc566010193151094e3f0169ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7251d936784dcb5a81ebe9fa899065af

SHA1
d6f4bcb9c1b28cdbc8142125d17e2ecb13d0a02e

SHA256
827270d7fa5543e3f113c9d27201a6367b884de9bd166bde929076c0ae6021e0

SHA512
91d04a67f330fbbe8faa0b6a15d3eebb36996e4f9734d38c18be7238136aece69c215b47f53fe027c38de171d501002aff8e7e81671815d739c6959a786ef261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
93599f3a9a2eeab8a1ac93d8540b9721

SHA1
6a5cc683d04173d0f2de47959bc2da3c9aaf9cd5

SHA256
a58e24c796c9eb12207ebbb794bab63b2749954ef6609da149862a8e0294133b

SHA512
51e768303ad7fd226670c79c10fe5fa1abd86a82af231f5ef16b5d20a60508e88c7222bd87e95b0ee3cd714e64fcd63fb35ad9d75f117873a1bc8eb9ccafa5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c70c81c4e48e77de8a91a692c87902f

SHA1
ac0fad48d3f1f59e308cf6757c067ed9a8dbb736

SHA256
1fb340426521d5ab22c1036b24f4a4c76cfc84665928a58058273db49d99ec7e

SHA512
e4621edbc32e139208235fd67279fa91f8d62040ab8e47cffcc24e21f221ef8303106a6146d95eca1afd7969d13eb56ef35b340bbc18b50fba848d73186d2b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70d64b94fde32d12252b20f31d79c069

SHA1
c2c9cddefc424258d0c4438b20b87a521e209b20

SHA256
4c940f52180751053c4b49a9670c63d2eff59bb3d9ff13eaa5a4d38acc693938

SHA512
d5f96a21de5bd2f29caa7b69ce02721834cbca03d0a7bbd7d7f6b32814d9ec11fd4bab47a6ea8740a447d6fa32c1dad88365f900779a6ca525eb64b2bc96e27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a184c7f5156fa546bc780af56746fa43

SHA1
5c2e05eaf8a7740f61f1d7ec63c59a0af421b0c8

SHA256
3c51f4d034ffc40a8677282b33699ba79d65a25b1466501b478b31dcbd08246d

SHA512
fbe2337a69a9a0ad437550b8c99b7b76c27f4cef5f19a6ca11d6411e67d8fc16f420a972c46dfd957d610b8c42bd733400d79fc684fef6b2e99012fd26326b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2fd2067234278e27be513ff2212cbfa4

SHA1
2bbece811e72b571c93f2f1fd7ec66d963da4391

SHA256
bcaea05c3aa257a977c48f6f59063b2651ed2d64ccd3f62c919bb3213b1066f9

SHA512
157ff10c1b3786fb0a097f3bfcb433f1cd80d0543d2d04a90fe6c01f4fccf90c3f5e541dd79d8284183433c622b5bf93b5cd5ec7d7eece8475e8a4f972932bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b0ddfbd59ce74af0581a37f4bbcd5997

SHA1
a9f3ca8fc6e7030cffe4773dcd49ca4203c8d910

SHA256
b2157c1cab5a4c40b554826995750086015acf56488c7793967fda002b98717f

SHA512
2ccf72c7e69f37872ddb5c425496384e9f35f7577ae0a5793b2a15131c0be4e6b8183ac84c1b6c53538fca745b04a178350afc64c17cf6fecefd6e5f49e36c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2fa5dcf8a4fe9141891a22969cc3dc80

SHA1
fedefbb6f35f1c1d6f913b4a219d62d283a53d3d

SHA256
6b3750342509eb03ea52f36745f9f3c7a65505b34c5dcbd44cc6134d08e6cc82

SHA512
af6f849912feced3cb6cb76c309e1ee3465b107591565dda8b5a5bebf246adeac41047e1e8bdeea22684c0b5f527f2466311003d11931714567f0c684850df36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
274ce2a54abc577366e2a0e5e2812ec8

SHA1
7b421b42bbcf23e5cd6039fe7bd13a149a54e6ac

SHA256
1ed41acd78078f036d44a39b1511d06ff610f2d11f55a0581fa85fc37be33211

SHA512
70d0c18ba450f47f8927c974b640f72ee0caea44fb6f72d8194bcccab4ceca6492c551213968f197d2bcf993a39f32e4e2adef8d9828e6d66c205075364a62e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ea76690e232544f14fde0dea0eb5ab5

SHA1
560e0140fb0bab33a43748f88d9a08e203d86241

SHA256
cfeaeaaf34c5980f7b20acd257a53015e9af63d94023de3a4a73b0deb9875a42

SHA512
768f5a833cd2e9ae1ebd211032dfcc48ce1e84377c6abb8e41ad9bd266f6f6198c5bb288f51dcce56d0d4db0157ca6d417744808d71f9ba012a8b75ddfe0a07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
279dec8c136292a7cc9cdb6cec4fdc67

SHA1
24a2df412cece8c2d5cf1f153581559f28c4e071

SHA256
7e4802c05ad8d6266f9088cd455b7631c479b8b987da45f7301b861a1adb97f8

SHA512
cefbfd948e0867fd521aa90face44a5e75e32b146a09c7e918a514ba9476440c4cd5a0fe640a645a8d8b433de3bc52276f1493181130677059b275854b559b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cbe409583c808e29a6b09ae0843357d6

SHA1
844d8517d1f4c833da7c1d995938f19a52598d9b

SHA256
1eecf9d7fccfdf0bc1b1c4f6d21d841b6575571336978516835078458c452e34

SHA512
0387a308011a5fae61e59c344e2c6c6a1351d4606a18c5c73d6d5c8abe362ecd339f97f6f868e7c8852cade74b8c587db0caad730e3b7e5df9cd2e451dab31d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6568dda32621ed45cad1d646623876e0

SHA1
0c8e34fb34c99f46dca292b5f21b061b464b4a5d

SHA256
7c73d54ec85091de789a47be1e6323a8551aa6e32f6d547d68dcbdf009bfee1c

SHA512
835101d42b57baeb681551ae46b4198a4f44df14c4ee87643684e6f7cfff8a94c0f4015cf4d8b267eb1c5a94e395abe4d7d9b2299ee80bd1a3cafb9448a08f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
057c98a3c682e0080fffe7683b4fd6a6

SHA1
dfde9190545fa1ba75c3104e5d0cd4d9d9c85fb1

SHA256
72faf41c4b62dda67419361d3d32fd849b3c7a4af212cbd402973a3c910d9d83

SHA512
59d4b7eaed070fedb3d7b72a49fde42efc679427f0d8656b8308ce96928b7e3af125d10e76b8c8d072970a1b2c9ec5e96073089870b35ec6eb01e08bdba606c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4999f7e7ce0b9e9d10aae9057b3316b3

SHA1
50d5ad235a44f13a3041144aef6826147d846c12

SHA256
c0b9972282372b6fac89f048dd7507d946cedd9b74a781a7acf3ebb16905d473

SHA512
e634469411a9f355e5a490ad6feb477d1afde6c056a952dbd84ccf71220efd285856b8015172adffa960423580482bc8930118c18f3c372a546c9c08263edc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a4d17e1e854a49ca420e1cdf54ca99b4

SHA1
1844455f9d99c27f2c0bcfd818a89e71d1872190

SHA256
0c570970bdf97db25ac94efd7ba21278ea1fc6529bcff8169f25c5fc84acebb6

SHA512
986929b882fa92577d36961ed659142067412a8bc20966e42b3587f903cb0e6da6ec6a84a43f0aa1a74f7abf1c45387efd0bb823523c3fbacd332c9b5b92f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
41f95cdaece531dcb7629cf529cb5942

SHA1
fcb1f42ff4e9e3cc9701bca9fc744e668db9ec44

SHA256
9926a96ad6cd416f27a51b656fe26efff2742dca12fcbe6b4bdb522872929298

SHA512
464f6107f09aea0cfea46eda6449351fbc92e45205e4c69dc7eaf4043521af955601676963f255a8a26b6a60e8b11fba530c673a9976688cef8229b629a9424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
50a401e10088d65b86e0edbd4601aaf2

SHA1
108a0607135c80e021aec9052be6adf59095bcb6

SHA256
ab8adf440562db0d6659c08d2c9ea64795ee81e0dfa51efbb54c2a27e6c9d46f

SHA512
09194c09f0dc4b072665f41b26b51ad89dbcca13b555b0952c81904927a993f7b46ea2eae4dd912b1f1c3839352a35380919afde0ffe756456f138f73a53e5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9c38a88f32f9bc690848949c67a58af5

SHA1
281d942b0e4e4b54fecf9d949716f35b092bbe86

SHA256
f32b3776077eb053b49be33f56c4b83298cbe0d8a0dceee1719dde15761fc5c4

SHA512
62016b44ce8ec4ee5554d28f5af9669f6d99b4559a838c598ed539fe810f874636aa4debe4827dc9be481b48a7d2f80656c4a7dd5ac724cdd2443ec1a29dea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
120b81c12f76a058bf0c7a9ea86034c7

SHA1
73aa892a6f6342c0ecc0dd08e4023bf8aabbbd5d

SHA256
6e197c329c2928622bce7ea205539865daf23baf9bb3ed12d27e1e73e82227c5

SHA512
98a20a8f27b5a6fd8d214f659e24f32470f10ac931125045533cfa615ef9eece084a9b48407b37dab2855226901cac9c1ab0e92fa34fa6af4cc27382fd2c915d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
71acaeb6e4c92d892103589f4cbb68db

SHA1
0422098e1ec0126d9a8e26d12b205bb99bd91d96

SHA256
9dc139c8ef88c508eb86c1af3cce797df2b7ab19fd0aa7db23148f8d6714b12d

SHA512
efb4f2c83cb3a511d44788e895c9dd8960630fea6e150f27fb7947f3e393657d72c6ebdbd9e8adec40ab6da09fe1aad8e939d49c49f083a0bdf86b230855a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be81c8e1b0660074d21fde4620c67533

SHA1
663441e9df84734e91d0050a1b5b18af60118e6b

SHA256
ab8b429ca0ce40d8ffb20dbe1c0c5c12ce8e1cbca05f8fe14cee9bed71c4eae5

SHA512
03d297b53c6c5e214e92394f2ace3cf101af8080d93c35f2bcf9f9f13c1b1dde147be573cd6a3d0a8e1cd094ffa562710421617c483adaef8358885fe1bd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b6a78b7e4a6a637121c7b5f0751660c6

SHA1
613ec21a45fb978ab98dca7435a9c8c2fc831760

SHA256
5b89bf616942984c207a3176ce58ad05900a4aa396d7a4741749b152c1ae1d71

SHA512
31b55a1fb5a0c2352258d70d0491cb3b6d205e636ad2376a04d0efaa90e15aa9dec381bd81ac81b1648fac32fb9dea8db5aa0b9b5cf5577c28796e2e8b3e6b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
db86742de430fdb70b58796c48407874

SHA1
6a1b722e411628a0fc4e51600e1f9c1dc0eb5c46

SHA256
c5fe341d36294155d099ef88e8bbc0bcb37a919fe9ada3f5687e1e30b4db3e1a

SHA512
6486eba047d8373016c97173d6e919b4a9db063e82570a182937208402bba31c350546e4f82903bceba7817cb167a1f10d7175596374371a8e06242a5c95d2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4c818776ac83a3f9cf83ef18a5eb2d58

SHA1
03c6eb5178e549ebd04fc45e314d6e38b33f384e

SHA256
b0e9d8f03845a51ec505549ed3c56ef7897d37b98242d06ca982c4797ac4705a

SHA512
da9777fb599fdbe7962c655d280379ca92fe3f70b34f5d290b93429d4c059aa84f921dcef2c68147a592a851390cc6a369ea9569ad58dff00d94e68471d2491a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c512d676c307e3e5518253176a66ec1b

SHA1
6128c519967089fd12ec50899f6a530874d575c2

SHA256
92bb6e52ad118691a304e0845694c4c5a8a194197b5bd79421eccdb641ff2c21

SHA512
2502d8ae78c0f18c845896180023e57f713a977da6902d59d88996a58d020cb579245830995186025d09f17a6dba34b7fbfd360c11120ac06a2958b1b435ddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8f4045d07381d37f2958a677e98a291b

SHA1
cd07de19e40a717c006fcd16eb4ecfa3ee54eda0

SHA256
d47f5e303b4273e77cddbb99f8697b94d7811d84c5da81aa65aee27ac62db2e5

SHA512
bc16d62272b5d02607f6f259bd6dd5fb25fa6e75ba62a07c97b449558f254528375b6bf9a21c2a1cd9459deb2a2deb54010055640d7f501cfe26d5b626d8c86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb7ebd5faae8addf33d7f496e2dced9e

SHA1
c747d6ddeb4776fb315220dfc1c64f07d673513d

SHA256
d9ee0c11fb38f2e207cd8686d755b01ebb3f52283a0b1d07f6079b4b8660b76d

SHA512
fbf64efb0ca36cad96b82ea70e6e64d154620a75439cd5f357e30b63912d4785bc8f574da234729a6deeff86ec1ae52b0c995d0dcab31eb7a09b669b47300ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
481fefbd534d0c5dc9da4ece8cd4780d

SHA1
0792abc00a9abe23a3213f8825eceb1ac515b87b

SHA256
d40aaa0baa768367a445dcef76f58ef5a9860fe8b5906b9657733a947b8ce306

SHA512
bba535337ebcfbfe08a6f6cc18068655a920c3dd94daafa24165fb55ac1c4b79833067c77e81ba9e569cb725947877946fdca547506d3787f7a9e70d7caca747

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
45a56468fbf97753fcbf33fc30dfbab0

SHA1
50e9cb15b004387c09d29033d81119774c75bf5c

SHA256
a65c738150edd6a382fc32bea08e80b98ee0aedc75cbffb43306118acdd6fa6e

SHA512
6b3062fc08d7ab335809dbda241fa3e46a48db83b25f761c4d30ed44147ffd570b2e22a822287ba9188bf095e5303e3adfc92e0eb1427726854edf44e5d7f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
88490934aad068ff2d2b6ce9af5f9ef2

SHA1
77b01af6c49b9cec94ebf51a301abf3211e956ee

SHA256
6a94dd7a2e3b0998770e55d4185201518dbd2f89bfdff061fc0e667037551a58

SHA512
1bfc0a47dea3c2e4a04a7cddbcf87fdb46300386b195f9377c1d1e397501e4009afac188fd2e62f51934f73226feef060f0905117fbdb6f30d36ac39eb4d935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1e912a3b4f2f551b25b7dfd013ca29e1

SHA1
a1e876516ddcff5252ab54f8293039e7eea08b96

SHA256
3a80b09a8e1b611d953f9d756e99b62ad5ff84fb96d2d93cdcaa5b33a14d8d69

SHA512
0c14c715095c322b43b0d2e4497d546aa36d87a57381d669542ef500d5cdec71646369805bd4ec54a3fb1a19b99c9337ab07f14d3d0fcbb16c537b0ec3228585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bf49d88cbbab752fe5c83d6d481bbc62

SHA1
c0c53b94766063a637cfcba8a1455d8a0f2b205c

SHA256
26462c6b5ad1e5842848198d47aabbb18fcce4f5b9d0cc3e38c080dcaaa930dc

SHA512
2f60124fb144d689b2a79e1b0624537757369515c8d3d233d86764131cbb8a00d103c96026b26908f85ec3e3f1d86895122cead7255ccacba8480d34490b2926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
86716e24aec4e7b19159b0c1922398c2

SHA1
ae7fdedeeaa6ae60e517839913a20fead475c17b

SHA256
3536d601727b27b9d013a6099b5c2ac9c0758ad68dbc56745c77b056fdaa1dbd

SHA512
007bdcf41e2d8946650e247900d1fbcd7789653b386003076c32877fa92df7f8555cc4acd669cf627c61c83be9b5755264ba742b3180aafb4fe6141f741e5f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62cb03d264a5717ffdbceee8fd42bc47

SHA1
a187248d67bbf858128256f11faf9bdb3e31d73d

SHA256
3cf33ce0b8009216b28917583ef057a2afdc1caec6f94b7d3a855c251ab6ceb4

SHA512
5e271d82df9f0094447529efe850374898186e1eb5d2b00e5dfc7299a23223e8fa451b66311ebbacfa8cae465c37933fc001bce4c3f9238b3b2087d7bfb19d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d1a7606e570986eff480bc3c955004ff

SHA1
a882115b5280beccfbcab4655ff8ee4e7e0091f1

SHA256
c7d4960fe0a4df662b74395f85276c75b5964b1743d26bd5b79fac3340c211d7

SHA512
f102790e1e4dbaa28fb56fe808bfca6e2344b78859be1d88b26a9cbbb5a542732624f3211ab993f0095fd006a7dd9920675212615f1630a19a832968b3b21e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
388d23f62256e80ecce7619e62587632

SHA1
c58eedc2f519ff7bc9772c8b8640a98f77d2d46e

SHA256
385134bac4415eeb8b48c0fffa35847b94d6acc83165595221e99dd746700d72

SHA512
3f983ff329de0b74c197537358128c93dec3a3e81300ed1f4a700b7588685fa347850a528fdc19399ceb130ef12f1ac4c6c10cbc8c31a59836c36c1f89d1dbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b10a3eb93bbd81fdc44b3e64cd92ca07

SHA1
365e2a9e02317ab556c11f2c0e6d1bcda1fa958d

SHA256
1dd1ae15fa3a8121c1009bf19bbd90b2ffcf95ef69525841d23374b7baab58aa

SHA512
9fcf3b9f97b75dd8193f7578b329781167c58be2b6de111db39d21aa9d5cf5b5c5e667dd19f546b1b429c7cea15b33cc2a88d461c1d382d6ed58c359a7fffdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
77665318d8ac9cac204f6580594a9af9

SHA1
f61fcd2d31f0541b262e1a244b19bec2676df55a

SHA256
8efafdff746d4cd85b0a6c4a36ebbbc72b0d825e533927c52bb9ffcee4c59f66

SHA512
87fbeb930ce007d27ac7cc71e5119b9625875b2428a2e9881d578d96fa45311b146c38fd9752b816d84db103de5a41132e5a04e602068959869d29895d3bb069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be523acaf90a1a7474c33c3388a04929

SHA1
c9f35146e50e55869da3a53f6e381d8ef87a8d3d

SHA256
b056302f455bdb421f934aaca6b3b5d09fdff28ee2ce46ed922f5d89c3d9a723

SHA512
3e0ef9793c687b225794032ffe1cc2ddcc04a9b79e8c2a2f0df6df2689f1cf1a19cb97f4ce85396e13c482925e937da85ad3b2cfa5b86d036d7b41fa10eed5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
73f04b072ca58fcc83d6eae7d8abaf16

SHA1
2a7ce0d8d90f2b031712832495660801cab51154

SHA256
e6fad13ccaf97b42705b7c907ef888d40ad6f14632801eba30e5cdf950c75f98

SHA512
8986a641664cccc68a70f0b7bff19c8ddfdf40c49cc90a2eb151d92f43aceb3f956d30a6d3418df3102c7935f0b72683728bb8d236b01dee1a4440509348061f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4057ebca7414a56c09e2e4756ab30a00

SHA1
07dbea5a72ff9359ccd1cb375daf139c1170be57

SHA256
b851329cdbbb4d9db2e5eb88730514341191aaf420defb9c96c3ae90c6f2d7ed

SHA512
00f1993638547b62a045ff5d6560c2e1cdc1a7ef65ef4d522dc938ca2702b12b99b6ee0106f540f733173d9635a99c0b6df520d56b38b3aae0e1f4ffe1265743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b4b5b5d0bb25e37b45fd3a23e0cec27

SHA1
c0dad8d2349f8fbcbd53327f4a74b1770aa03c2f

SHA256
db1e38c6c4e312b7a5ddfccf2c3d6b6eb5e9214e9b4b8a69499df475bee8aa1a

SHA512
1328dfe87b86e4f4c3d8cbf67ed2798f6bf2f24cc1cb2bd6e731574bad668d0c8ec80b3781a58a6413cc2a1a68fc66c6e627c0319861497a27ba6d1f99fb7dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
979493d550cc9becc53c01c31cf2051f

SHA1
e23c94ebe090953fc57d68fd4e6489502d6345fb

SHA256
68d758d80b9d73c4173005de46bd86a5981f36d8b40449c0586e3b75acfa7d18

SHA512
6952dfea8cd83bf6bc213020fb981f1710618c23d6ca4ab62d0844fe65535cdf0389a8e97bd70178e39ceecc6589058d3e5ab67a1642543d2b600273f80310b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
73667f920e77fd0e2050d96140c7cd60

SHA1
fe1b40ba7248a3742c2f1389125dba4f00e59581

SHA256
7b519068b10e6e6ad28670152ce131e67657950b779bd59e57d25dded8100d90

SHA512
2e54d25081f8230259e3568d35ba51a34d039566cd177dfd7abfb2ba5be61a0bdda0cd7c3aa55d4ba0519d597e42502abf66295f0fa508c7c5850d34db24795f

Download Submit
C:\Users\Admin\AppData\Local\a.exe

Filesize
104KB

MD5
99a54c0b8d6ffc54a324c402dc45ae7b

SHA1
0fa3d9ecf91eda6a26b1edb183027e8ac6747d18

SHA256
abafd89b2bad5fb06bf1b1f3eec9e530b69f580b0954963ee79d59fb5da3301a

SHA512
33b750755d26dc0cfff58d4f8f66ccc7ffa481954f104b7329e3308197acbce3a2c803a5c6ecbcf66a33933de06ddc4897953c598f23b424640cf9cb222bf8f5

Download Submit
C:\Users\Admin\AppData\Local\b.exe

Filesize
249KB

MD5
2b822f4496b01a8b6bd563d00de6c746

SHA1
db3f0675484d0c75fe4c29263d0dd7f7ea339d8f

SHA256
8f22617ff76df9e79440ee57002873b27e412abe8c4758181f54a73dcd2e4b65

SHA512
b0f561671fe3ede21e7495c6a3de05b14a73e037bc345f262b338aad501e31e9f7dd3db59d0fbde458e6dd95992e043250236d70efc3292dd3969391de0fccf9

Download Submit
C:\Users\Admin\AppData\Local\c.exe

Filesize
254KB

MD5
756e44bc1c910ba44a79288b93e63824

SHA1
76f4702cfda7efcd66bfcc2ee17f682fc8347b4a

SHA256
b277317de2e559957fc19b71a37ba93f92b581c2dc291ca1ffebdb3782cb7a04

SHA512
23148d88eac4b0a65ecabc02a0aca3c30476a0cb5750775102d565b740cb3d2acabf830997099bac51ae0956d0e6677786a5633a80bfe218ee11aa8476f45ce6

Download Submit
C:\Users\Admin\AppData\Local\e.exe

Filesize
957B

MD5
6f915fe9e56ba6842800e57945bf56a3

SHA1
2a6ea9b7886c6e89036edac4a7b169b520fd32a0

SHA256
3da70f7e68b466661da604dab41f5f9307d87bd771af196f49d0259fb82e9c7d

SHA512
2038bb9eec8e231906405cb1fee2249ec7f290b9aa3c7c122e361afbf4c6e6c741390229bfdc959a3d5bec111cc11a44197659955f2c12ccbd0bbabc20620a0f

Download Submit
C:\Users\Admin\AppData\Local\f.exe

Filesize
7KB

MD5
4c4ef9c9f4a142c1ab22f177b7a1e65c

SHA1
c406db0a716f638d894a6dc38c72f92785a6640a

SHA256
62545100133608cf38665b4ed0b432bb3c3e703ab64dd047d8a3adf34b0c6a8b

SHA512
abd12ef5627e78d51136677ae270ba41c0b073cc5b91545d7eb57761d4dd4a19d9aa09b3e7d8c7fd224554b8a704017ac73a3e9b90abb5f545906659e4439718

Download Submit
C:\Users\Admin\AppData\Local\g.exe

Filesize
5KB

MD5
b8b3d105a33213f84a0f71c8914ec74e

SHA1
109c6aa8869c121c4c93c91fb2095363c45db4b6

SHA256
1b7d6724a2c74d5203ff5a9f82c245d291bcccebc0daaa6f43aae28469559a2c

SHA512
269dab4ff80f854c8fd8b017cd15e2c96c0be907f8bf437e1ac21dfeb3f4e12bfd5d153dfd799ae305188ec4bae15d0ad87c25ca275529e0fe6763babc87201d

Download Submit
C:\Windows\SysWOW64\Script.vbs

Filesize
214B

MD5
1d845c764862dd0c111e312d9cf8614f

SHA1
a48190c06dafcb54e6aabc9afb745b55012b8613

SHA256
ba61b1cbcc413986d7d51ab16570755ccfe931b8e101cd0bc5d260048527fa01

SHA512
29f649e1fc98a8e3d57b40d932c58ee92f00e6d79bc9d9f01fa526549b813ac8be368cb8ddbc1d80befec7fb1bec92d57bfbe293fccb4850beab719fccfb17cc

Download Submit
C:\Windows\SysWOW64\_dcsc_.bat

Filesize
70B

MD5
4376ed56d78db6eb600a9f52f2d1eb5d

SHA1
41727039e4a28f8f796cbbeb6095e984310f5c16

SHA256
00c14b0d4bf89ea58696b2c9d4274c02f247377df3ab5334987fe194f55fe22b

SHA512
3aebdcf9ca7a348bd96ae4d2dcf81a703757c7c48d3371f2eb179af0796f8efe6da9ab4d10bb8ea769cfb3bcfb0b5edd81f2577edab8887bdcf04270ec745350

Download Submit
C:\Windows\SysWOW64\_dcsc_.bat

Filesize
72B

MD5
44cefc62c6b9cd2b2fe2773f80295f3c

SHA1
33d6a7760f6742dfc25b773e96d0a4c4041a89b0

SHA256
8dd01801ab8ac129672ac18be968fb60041e9ab06b0a5c3985d4605418585a8b

SHA512
8b0a53146249cc338f9917b47ee7be521badc4113116f18b098c5da640cd063380ffbd4bddc7253bfd5338dabdcd14a57e3b9e124d1098887fa1ce575b2c3c84

Download Submit
\Users\Admin\AppData\Local\d.exe

Filesize
170KB

MD5
fb6e835a6298395da262fafd15b05d19

SHA1
093eb76e6f9faa62f47fafe54ab0a7279e4850b9

SHA256
288f862aead2c6e7e80150d66f4e1047d94dac34209955de4e90f4d88002f7c2

SHA512
80419acb6d46470371319e6ebf98a62145571bf3f2316bf038a9784aa5f3aa05de4760b86da7fb1cc3b8508a54de41abba5699ac00e5fa969d36b31ec7dc1282

Download Submit
\Users\Admin\AppData\Local\h.exe

Filesize
289KB

MD5
c84d00fe4cad66c87c0e56253eebf471

SHA1
8ebf95a00f50a7f9f74b95959a1434937b699532

SHA256
0f06d5ad579a0ffb7c232575543a0b5228f162fd8c35e47bc75e88ebab85afc6

SHA512
e5c38029587fe0ef139e00ec2889fda7b6fc64e3c59b6eb3ad7988175e27df2c98937f2441a3470089bba867ee85274bef71826da0638536da5da9af38b1e42b

Download Submit
memory/876-714-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/876-734-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/900-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-70-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1108-28-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1572-1235-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1572-1249-0x0000000004430000-0x00000000044F4000-memory.dmp

Filesize
784KB

Download
memory/1572-1248-0x0000000004430000-0x00000000044F4000-memory.dmp

Filesize
784KB

Download
memory/1572-1259-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1620-1105-0x0000000004390000-0x0000000004454000-memory.dmp

Filesize
784KB

Download
memory/1620-1168-0x00000000044C0000-0x0000000004584000-memory.dmp

Filesize
784KB

Download
memory/1620-938-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1620-1179-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1620-1134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1620-1106-0x0000000004390000-0x0000000004454000-memory.dmp

Filesize
784KB

Download
memory/1620-1151-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1632-752-0x00000000042E0000-0x00000000043A4000-memory.dmp

Filesize
784KB

Download
memory/1632-753-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1780-1185-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1780-1198-0x0000000004560000-0x0000000004624000-memory.dmp

Filesize
784KB

Download
memory/1780-1199-0x0000000004560000-0x0000000004624000-memory.dmp

Filesize
784KB

Download
memory/1780-1209-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1804-89-0x00000000044C0000-0x0000000004584000-memory.dmp

Filesize
784KB

Download
memory/1804-97-0x00000000044C0000-0x0000000004584000-memory.dmp

Filesize
784KB

Download
memory/1804-1150-0x0000000004490000-0x0000000004554000-memory.dmp

Filesize
784KB

Download
memory/1804-99-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1804-1107-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1804-1162-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1804-27-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1804-1148-0x0000000004490000-0x0000000004554000-memory.dmp

Filesize
784KB

Download
memory/1900-1310-0x0000000004460000-0x0000000004524000-memory.dmp

Filesize
784KB

Download
memory/1900-1321-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1900-1295-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1900-1309-0x0000000004460000-0x0000000004524000-memory.dmp

Filesize
784KB

Download
memory/1968-59-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2060-37-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/2060-19-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2060-20-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2060-26-0x0000000002060000-0x0000000002124000-memory.dmp

Filesize
784KB

Download
memory/2084-1217-0x0000000004650000-0x0000000004714000-memory.dmp

Filesize
784KB

Download
memory/2084-1228-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2084-1215-0x0000000004650000-0x0000000004714000-memory.dmp

Filesize
784KB

Download
memory/2148-101-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2148-712-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2212-1214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2212-1165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-1402-0x0000000004490000-0x0000000004554000-memory.dmp

Filesize
784KB

Download
memory/2268-1416-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2268-1401-0x0000000004490000-0x0000000004554000-memory.dmp

Filesize
784KB

Download
memory/2268-1388-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2320-1169-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2320-1293-0x00000000043D0000-0x0000000004494000-memory.dmp

Filesize
784KB

Download
memory/2320-1305-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2320-1294-0x00000000043D0000-0x0000000004494000-memory.dmp

Filesize
784KB

Download
memory/2320-1279-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2320-1194-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2356-713-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-1136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-110-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2372-1244-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2372-1218-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2372-1232-0x00000000043A0000-0x0000000004464000-memory.dmp

Filesize
784KB

Download
memory/2372-1233-0x00000000043A0000-0x0000000004464000-memory.dmp

Filesize
784KB

Download
memory/2444-1289-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2444-1274-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2444-1278-0x00000000043B0000-0x0000000004474000-memory.dmp

Filesize
784KB

Download
memory/2564-80-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2584-757-0x00000000043A0000-0x0000000004464000-memory.dmp

Filesize
784KB

Download
memory/2584-768-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2660-71-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2720-1213-0x0000000004080000-0x00000000040D3000-memory.dmp

Filesize
332KB

Download
memory/2720-1161-0x0000000004080000-0x00000000040D3000-memory.dmp

Filesize
332KB

Download
memory/2720-1216-0x0000000004080000-0x00000000040D3000-memory.dmp

Filesize
332KB

Download
memory/2720-1163-0x0000000004080000-0x00000000040D3000-memory.dmp

Filesize
332KB

Download
memory/2872-1273-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2872-1270-0x0000000004430000-0x00000000044F4000-memory.dmp

Filesize
784KB

Download
memory/2884-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-52-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/2884-51-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/2988-983-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2988-758-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-749-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3008-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3040-1186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-1139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3168-1325-0x00000000043B0000-0x0000000004474000-memory.dmp

Filesize
784KB

Download
memory/3168-1324-0x00000000043B0000-0x0000000004474000-memory.dmp

Filesize
784KB

Download
memory/3168-1336-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3252-1429-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3252-1403-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3252-1418-0x0000000004630000-0x00000000046F4000-memory.dmp

Filesize
784KB

Download
memory/3336-1341-0x0000000004260000-0x0000000004324000-memory.dmp

Filesize
784KB

Download
memory/3336-1351-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3336-1326-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3336-1340-0x0000000004260000-0x0000000004324000-memory.dmp

Filesize
784KB

Download
memory/3548-1355-0x0000000004310000-0x00000000043D4000-memory.dmp

Filesize
784KB

Download
memory/3548-1366-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3548-1356-0x0000000004310000-0x00000000043D4000-memory.dmp

Filesize
784KB

Download
memory/3596-1444-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3736-1377-0x0000000004510000-0x00000000045D4000-memory.dmp

Filesize
784KB

Download
memory/3736-1380-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3968-1381-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3968-1397-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3968-1386-0x0000000004360000-0x0000000004424000-memory.dmp

Filesize
784KB

Download
memory/3968-1387-0x0000000004360000-0x0000000004424000-memory.dmp

Filesize
784KB

Download